[kvuj]

The cargo.lock file is 2200+ lines long. Did they spend a reasonable amount of time auditing these dependencies?

[CodesInChaos]

That's 238 dependencies (counting multiple versions of the same crate).

* Many of them are part of families of crates maintained by the same people (e.g. rust-crypto, windows, rand or regex).

* Most of them are popular crates I'm familiar with.

* Several are only needed to support old compiler versions and can be removed once the MSRV is raised

So it's not as bad as it looks at first glance.

[shikon7]

What would be a reasonable amount of time to audit the dependencies?

[kvuj]

I would let them decide based on their security policy.

If Microsoft states that they don't have any for a project like this, I would be wary of taking it too seriously.

[Andrex]

They ran it through Copilot which gave it the all-clear.

[adolph]

  grep 'name = ' ms-litebox-Cargo.lock | wc -l
     238

edit:

  grep 'name = ' ms-litebox-Cargo.lock | sort -u | wc -l
     221

[dizhn]

I've always done 'sort | uniq'. Never bothered to check for the the unique flag to sort. Although 'uniq -c' is quite nice to have.

       -c, --count
              prefix lines by the number of occurrences

[adolph]

Yeah, to see the packages with multiple versions:

  grep 'name = ' ms-litebox-Cargo.lock | sort | uniq -c | grep -v '1 name' | sort -n

Package windows-sys has the highest number of versions included, 3: 0.59.0, 0.60.2, and 0.61.2.

Edit: Also, beware of the unsorted uniq count:

  cat <<EOF | uniq -c
  > a
  > a
  > b
  > a
  > a
  > EOF
   2 a
   1 b
   2 a

[dundarious]

grep -v '1 name' excludes 11, 21, etc., but I take your point.

[jrm4]

Given, you know, Microsoft, I'd demand proof even if they said they did.