repi
repi
Agree that it would be quite powerful to be able to verify that the crate and the git repo it was published from was matching and warn or require that...
Ah neat, would indeed be good if it was possible for it also to not do the actual fetch, just verify if the commit exists
Yup that would be a good improvement, I was a bit surprised they didn't have a more integrated / automatic way of doing this for actions. But should be possible...
Thanks @briansmith ! Agreed this needs to be a proper secure hash and longer. It doesn't make it harder to use and for those that do rely on it it...
This would indeed be nice to support both for binary program crates as well as for git repositories!
We had a specific problem in https://github.com/EmbarkStudios/rust-gpu/pull/132 where our `tar` dependency, and as such the entire repo in the badge, got flagged as "insecure", even though we through Cargo.lock was...
if this doesn't panic anymore, then the issue could be closed?
> In the end, is the best approach is to set ndk = "*" and ndk-glue = "*" in libraries that use android-ndk? It's such a pain to bump every...
Here is a list of dependencies that we use that today all depend on `ndk-glue` for their Android version and as such run into this problem: - `app_dirs2` - `cpal`...
cargo-about does have a concept of [_workarounds_](https://embarkstudios.github.io/cargo-about/cli/generate/workarounds.html) which is meant to tackle crates that do not correctly define their licenses that I think can be used here. Though best is...