Post Syndicated from original https://lwn.net/Articles/897435/

Modern language environments make it easy to discover and incorporate
externally written libraries into a program. These same mechanisms can
also make it easy to inadvertently incorporate security vulnerabilities or
overtly malicious code, which is rather less gratifying. The stream of
resulting vulnerabilities seems like it will
never end, and it afflicts relatively safe
languages like Rust just as much as any other language. In an effort
to avoid the embarrassment that comes with shipping vulnerabilities (or
worse) by way of its dependencies, the Mozilla project has come up with a new supply-chain management tool known as
“cargo vet“.