[chubs]

To mitigate supply chain attacks like this, I've taken to specifying exact versions in my Rust cargo.toml, and when importing new crates, select the previous-to-latest version. Is this a reasonable mitigation? It bugs me that Swift deprecates the concept of specifying exact versions, it actively pushes you towards semver which leaves the door open to this.

[mattstir]

> select the previous-to-latest version

For supply chain attacks that simply bide their time, or for dependencies which involve interacting with other subsystems, it's possible you miss a critical security update by doing this. Of course, the maintainers of the crates should yank known bad releases, but that's putting trust in a third-party that may have already been compromised.

[kam]

Cargo will still pick the latest for transitive dependencies that aren't explicitly specified in your Cargo.toml. This is what Cargo.lock is for.

[chubs]

Oh good point, I didn't think of transitive dependencies. A lot of languages i've worked with unfortunately have a 'do not check in the lockfile' culture, and a common 'blow away the lockfile when the package manager gets stuck' workflow, so that does concern me. Perhaps Cargo is better than average though, and the lockfile never needs nuking, providing this safety. This sounds like a good reason to check in the lockfile! Thanks for the response.