| Also shout out to cargo-vet. It lets you track what packages you "trust". Then you can choose to transitively trust the packages trusted by entities you trust. This lets you have a policy like "importing a new 3rd party package requires a signoff from our dependency tzar. But, packages that Google claim to have carefully reviewed are fine". You can also export varying definitions of "trust". E.g. Google exports statements like: - "this package has unsafe code, one of our unsafe experts audited it and thinks it looks OK" - "this package doesn't do any crypto" - "this is a crypto library, one of our crypto experts audited it and thinks it looks ok" https://github.com/google/rust-crate-audits/blob/main/auditi... Basically it's a slightly more formal and detailed version of blessed.rs where you can easily identify all the "it's not stdlib, but, it's kinda stdlib" stuff and make it easily available to your team without going full YOLO mode. It can also give you a "semi-YOLO" approach, it supports rationales like "this package is owned by a tokio maintainer, those folks know what they're doing, it's probably fine". I think this is a nice balance for personal projects. |