serde has 13M weekly downloads and one crate owner. Rust's supply chain risk looks like npm's.

1 / 2

serde has 13M weekly downloads and one crate owner. Rust's supply chain risk looks like npm's.

DEV Community·Pico·24 days ago

#drPFNTxG

#rust #security #supplychain #critical #crates #owner

Reading 0:00

15s threshold

Rust developers tend to assume their supply chain is safer than npm's. The language is safer. The compiler catches more. The ecosystem feels more considered. None of that helps when the threat is a compromised crates.io account. I added Cargo support to Proof of Commitment this week and ran the same analysis I've been doing on npm and Python . The results are structurally identical. The numbers I audited the 20 most-downloaded Rust crates. 11 scored CRITICAL — a single crates.io owner with massive download volume. Here are the worst: Crate Downloads/wk Owners Risk syn 22.6M 1 🔴 CRITICAL rand 19.1M 1 🔴 CRITICAL thiserror 17.1M 1 🔴 CRITICAL quote 16.1M 1 🔴 CRITICAL proc-macro2 15.6M 1 🔴 CRITICAL serde 13.3M 1 🔴 CRITICAL serde_json 12.8M 1 🔴 CRITICAL regex 11.8M 1 🔴 CRITICAL clap 11.8M 1 🔴 CRITICAL anyhow 10.2M 1 🔴 CRITICAL hyper 10.1M 1 🔴 CRITICAL Eleven CRITICAL crates in the top 20. Combined: roughly 160 million downloads per week behind single-owner crates.io accounts.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

serde has 13M weekly downloads and one crate owner. Rust's supply chain risk looks like npm's.