Same failure as #679, eight days of peace later. Renovate auto-merged clap 4.x (Renovate has merge confidence; cargo vet is not a required check on auto-merge) and Cargo Security went red on main:
NOTE: this project trusts Ed Page (epage) - consider cargo vet trust clap_builder or cargo vet trust --all epage
estimated audit backlog: 91 lines
#680 trusted epage per crate (toml_edit, toml_writer), on the theory that staying scoped was safer. That theory is now falsified: epage publishes half the CLI ecosystem we depend on (clap, clap_builder, clap_derive, anstream, anstyle, …), and every one of them re-breaks main on its next bump. The scoped approach just schedules the next outage.
Fix: cargo vet trust --all epage, plus explicit trusts for clap/clap_derive (skipped by --all because they have multiple historical publishers). mozilla and bytecode-alliance — both audit sets we import — trust epage; we already did too, one crate at a time.
Same failure as #679, eight days of peace later. Renovate auto-merged
clap4.x (Renovate has merge confidence;cargo vetis not a required check on auto-merge) andCargo Securitywent red onmain:#680 trusted epage per crate (toml_edit, toml_writer), on the theory that staying scoped was safer. That theory is now falsified: epage publishes half the CLI ecosystem we depend on (clap, clap_builder, clap_derive, anstream, anstyle, …), and every one of them re-breaks main on its next bump. The scoped approach just schedules the next outage.
Fix:
cargo vet trust --all epage, plus explicit trusts forclap/clap_derive(skipped by--allbecause they have multiple historical publishers). mozilla and bytecode-alliance — both audit sets we import — trust epage; we already did too, one crate at a time.