Rust — Cargo
Cargo (Cargo.lock)
cargo update -p reqwest
# Coerce a transitive — Cargo.toml:
# [patch.crates-io]
# reqwest = { version = "0.12" }
cargo update
[patch.crates-io] redirects every reference to a crate version, regardless of where in the graph it sits. For source-level patches (a fork or a local path), [patch] accepts path = ... or git = .... Integrity is per-entry SHA-256.
Gotcha: Cargo.lock is committed for binaries but conventionally not for libraries — for an SCA fix in a library crate, the right output is a release bump rather than a lockfile change.
Developer gotchas — written for people who live in the code
Cargo.lockis committed for binaries, ignored for libraries. A library’s downstream consumer resolves their own deps; yourCargo.lockdoesn’t ship. An SCA flag against a library crate’sCargo.lockonly affects your build, not consumers — for them, publish aCargo.tomlbump.- Feature flags change the dep set drastically.
tokiowith default features pulls intokio-macros,mio,socket2, etc. Withdefault-features = false, features = ["sync"], the dep set is a tenth the size. A CVE inmiomay not be in your build if you disabled the relevant feature. [patch.crates-io]and[replace]look similar; only[patch]works.[replace]is deprecated. Use[patch.crates-io]for crates-io overrides;[patch."https://..."]for git deps.- Dev-dependencies don’t end up in
cargo build’s release artefact.[dev-dependencies]only compile undercargo test/cargo bench. CVE flags against them are runtime-not-affected for production binaries. build-dependenciesrun on the build host. A CVE in abuild.rsdep (abindgen, acc) runs during compilation, not in your final binary. Production-runtime VEX isvulnerable_code_not_presentif you can prove the build-dep didn’t end up linked.unsafeblocks andextern "C"bring in C deps invisible tocargo. A CVE inopenssl-sysmay reflect a linked system OpenSSL, not Rust code. Scan the container or the linked binary, not justCargo.lock.- Workspaces share
Cargo.lockbut not features. In a workspace,cargo build -p crate-amay pick different features thancargo build -p crate-beven though both share the same lockfile. A feature-gated CVE in a shared dep may be reachable from one crate and dead in another.
Reachability
cargo tree -p <crate> -e features --invertshows what depends on the crate.cargo-callgraphorcargo-modulesfor symbol-level analysis.cargo-udepsflags unused dependencies (one signal that a transitive is dead in practice).- Runtime:
cargo tarpaulinfor coverage, orcargo llvm-covon nightly.