reviewer

Rust crates reviews

Cryptographically verifiable, distributed dependency reviews

reviewer: kornelski

https://lib.rs/kornelski

Rust links:

$ cargo crev repo fetch url https://github.com/kornelski/crev-proofs
$ cargo crev id trust rBGRONmiSLmELT1SuRDDScgLcoJl8mTdEbZqz1XCesM

repo: https://github.com/kornelski/crev-proofs

Please, use mobile in landscape.

crate version

rating

date

reviewer

thoroughness, understanding

ahash 0.3.8

positive

2020-10-22

kornelski

low, low

alternative:

https://crates.io

fxhash

allan-tools 0.1.2

positive

2022-01-13

kornelski

low, low

arbitrary 0.4.7

positive

2021-01-12

kornelski

low, low

arg_enum_proc_macro 0.3.0

positive

2021-01-06

kornelski

low, low

atomic-polyfill 0.1.5

positive

2021-12-06

kornelski

low, medium

atomic_enum 0.1.1

positive

2021-11-24

kornelski

medium, medium

autocfg 1.0.1

positive

2021-02-24

kornelski

low, medium

autocfg 1.0.1

positive

2021-02-24

kornelski

low, medium

binary-ff1 0.2.0

positive

2021-11-18

kornelski

low, medium

bitreader 0.3.2

positive

2020-10-21

kornelski

low, low

blake3 1.1.0

neutral

2021-10-29

kornelski

low, low

Build script is benign. It depends on a bunch of C code, which I haven't checked (hence neutral rating)

bytecount 0.6.2

positive

2021-07-14

kornelski

low, medium

cargo-bump 1.1.0

positive

2022-06-29

kornelski

low, medium

alternative:

https://crates.io

cargo-v

Slow due to use of cargo-metadata, and doesn't work with workspaces for no good reason

cargo-deny 0.9.1

positive

2021-08-10

kornelski

low, low

cargo-incversion 0.1.2

neutral

2022-06-29

kornelski

low, medium

alternative:

https://crates.io

cargo-bump

Very basic TOML parsing, like sed s/^version/

cargo-pgo 0.2.2

positive

2022-11-16

kornelski

low, low

cargo-v 1.0.1

neutral

2022-06-29

kornelski

low, medium

alternative:

https://crates.io

cargo-bump

Very basic TOML parsing, like sed s/^version/

cfg-expr 0.7.4

positive

2021-11-24

kornelski

low, medium

alternative:

https://crates.io

parse_cfg

ci_info 0.9.2

positive

2021-01-20

kornelski

low, medium

const_fn 0.4.2

neutral

2020-11-02

kornelski

low, low

So much complexity for a bit of backwards-compat :(

cpufeatures 0.1.5

positive

2021-08-20

kornelski

low, medium

critical-section 0.2.5

positive

2021-12-06

kornelski

low, low

css-color 0.2.4

positive

2022-09-13

kornelski

low, medium

alternative:

https://crates.io

csscolorparser

csscolorparser 0.6.2

positive

2022-09-13

kornelski

low, medium

alternative:

https://crates.io

css-color-parser2

data-url 0.1.1

positive

2022-09-02

kornelski

low, medium

dirs-next 2.0.0

positive

2022-01-04

kornelski

medium, high

Nice and simple. macOS uses hardcoded paths rather than Cocoa APIs, but that's fine.

dirs-sys-next 0.1.2

positive

2021-04-19

kornelski

low, low

envmnt 0.8.4

positive

2021-01-21

kornelski

low, medium

fallible_collections 0.4.1

positive

2021-04-19

kornelski

low, medium

fsio 0.1.3

positive

2021-01-19

kornelski

low, medium

geo-types 0.7.2

positive

2021-07-14

kornelski

low, low

geohash 0.11.0

positive

2021-07-14

kornelski

low, medium

hermit-abi 0.1.12

positive

2021-06-29

kornelski

low, low

humansize 1.1.1

positive

2021-07-14

kornelski

low, medium

interpolate_name 0.2.3

positive

2020-09-14

kornelski

low, medium

ipnet 2.3.0

positive

2020-12-01

kornelski

low, medium

libv 0.1.2

negative

2022-09-08

kornelski

none, none

alternative:

https://crates.io

libc

Typosquatting

linked-hash-map 0.5.4

neutral

2021-08-23

kornelski

low, low

There's a lot of unsafe pointer-juggling here for managing linked lists.

maimo 0.0.3

negative

2022-07-05

kornelski

medium, low

alternative:

https://crates.io

forage

Warning: this is stolen code

miniz_oxide 0.4.2

positive

2020-09-14

kornelski

low, low

multer 2.0.1

positive

2021-11-24

kornelski

low, medium

nias 0.4.0

neutral

2021-01-19

kornelski

low, medium

These are helper functions. They aren't actually closures, but plain function pointers.

noop_proc_macro 0.2.1

positive

2020-09-18

kornelski

high, high

Literally nothing to see here

ntapi 0.3.6

positive

2021-10-29

kornelski

low, low

The build script is benign. It does what it says on the tin. I haven't checked whether definitions match the ABI.

os_str_bytes 6.3.0

positive

2022-08-19

kornelski

low, low

parse_cfg 2.0.0

neutral

2021-02-24

kornelski

high, high

alternative:

https://crates.io

cfg-expr

peak_alloc 0.1.0

positive

2021-10-05

kornelski

low, medium

It really is a thin wrapper around System.alloc (too bad it can't wrap other allocators)

pin-utils 0.1.0

positive

2021-05-17

kornelski

low, low

quick-xml 0.23.0

negative

2022-07-07

kornelski

low, medium

alternative:

https://crates.io

xml-rs

This crate uses a bytewise parser even for files in UTF-16 encoding. It can be tricked into parsing plain text as XML elements (e.g. UTF-16BE "䄼A†⼾" is parsed as <A /> and fires an element event).

rdkafka-sys 4.1.0+1.7.0

positive

2021-11-24

kornelski

low, medium

redox_users 0.3.5

positive

2021-01-21

kornelski

low, low

resize 0.5.5

positive

2021-01-20

kornelski

high, high

riff 1.0.1

positive

2022-12-12

kornelski

medium, medium

rusoto_core 0.47.0

positive

2022-09-20

kornelski

low, medium

rust-argon2 0.8.3

positive

2021-01-20

kornelski

low, medium

rust_hawktracer_proc_macro 0.4.1

neutral

2021-02-02

kornelski

medium, medium

It calls unsafe add_cached_mapping

rust_hawktracer_proc_macro 0.4.1

neutral

2021-02-02

kornelski

medium, medium

It doesn't use robust parsing and doesn't validate inputs. It's probably fine anyway.

rust_hawktracer_sys 0.4.2

negative

2021-02-02

kornelski

low, low

Has public functions that take arbitrary raw pointers, but aren't marked as unsafe

rustify 0.5.3

positive

2022-09-16

kornelski

low, medium

rustify_derive 0.5.2

positive

2022-09-16

kornelski

low, medium

rustracing_jaeger 0.5.0

positive

2020-10-21

kornelski

low, low

scan_fmt 0.2.5

positive

2020-09-14

kornelski

low, medium

scan_fmt 0.2.5

positive

2020-09-14

kornelski

low, medium

sct 0.6.1

positive

2021-05-17

kornelski

low, low

sct 0.6.0

positive

2020-11-13

kornelski

low, low

sentry-contexts 0.23.0

positive

2021-11-24

kornelski

low, medium

sentry-contexts 0.23.0

positive

2021-11-24

kornelski

low, medium

sentry-core 0.23.0

positive

2021-08-10

kornelski

low, low

simd_helpers 0.1.0

positive

2020-11-13

kornelski

low, medium

it just splits a string

smartstring 0.2.5

positive

2020-10-19

kornelski

low, low

alternative:

https://crates.io

smol_str

spin 0.5.2

positive

2021-05-17

kornelski

low, low

I don't see anything wrong with it, but atomics are notoriously tricky, so please keep in mind that my review is marked with understanding=low

static_assertions 1.1.0

positive

2021-01-06

kornelski

low, medium

strum 0.21.0

positive

2021-08-20

kornelski

low, low

strum_macros 0.21.1

positive

2021-08-20

kornelski

low, low

tinyvec_macros 0.1.0

positive

2020-12-15

kornelski

medium, medium

tokio-retry 0.3.0

positive

2021-11-16

kornelski

low, medium

The API of the exponential backoff strategy is surprising, as it uses the same number for the base and the exponent.

tonic 0.4.3

positive

2021-05-08

kornelski

low, medium

tower-service 0.3.1

positive

2021-05-17

kornelski

low, medium

tracing 0.1.22

positive

2020-12-15

kornelski

low, low

trackable_derive 0.1.3

positive

2021-01-06

kornelski

low, low

try_from 0.3.2

negative

2020-10-21

kornelski

low, medium

alternative:

https://crates.io

derive_more

TryFrom is now in the standard library, and this library does not fall back to the standard trait.

vaultrs 0.6.2

positive

2022-09-16

kornelski

low, medium

version-compare 0.0.11

positive

2021-08-10

kornelski

low, medium

vte 0.3.3

neutral

2021-07-14

kornelski

low, low

Uses mem::uninitialized() instead of MaybeUninit or ArrayVec.