[spease]

Maybe, but it’s kind of half-assed to just figure out a solution that only works for stdx and then leave every other library out to hang.

Supporting tools like cargo audit would be a better choice for the entire ecosystem, not just things that are appropriate to have in stdx.

[necovek]

I am not sure you are proposing a solution for the raised problem: the more people there are in the supply chain, the higher the risk that someone turns rogue or gets hacked.

How could cargo audit help there when you don't know if a particular package has been infiltrated?