• New Security tab displays RustSec advisories and affected version ranges for each crate. • Trusted Publishing now supports GitLab CI/CD via OIDC, expanding beyond GitHub Actions. • Crate owners can enable Trusted Publishing Only mode, disabling legacy API token publishing. • Pull_request_target and workflow_run GitHub Actions triggers are blocked to prevent security incidents. • Implementation refactored for multi‑CI provider support, paving the way for Codeberg/Forgejo. • OpenSSF funding and Dirkjan Ochtman’s work enabled the Security tab feature.
Article Summaries:
- Time flies! Six months have passed since our last crates.io development update, so it’s time for another one. Here’s a summary of the most notable changes and improvements made to crates.io over the past six months. Security Tab Crate pages now have a new “Security” tab that displays security advisories from the RustSec database. This allows you to quickly see if a crate has known vulnerabilities before adding it as a dependency. The tab shows known vulnerabilities for the crate along with the affected version ranges. This feature is still a work in progress, and we plan to add more functional
- Crates.io released a six‑month development update highlighting several key improvements. A new “Security” tab on crate pages now pulls advisories from the RustSec database, showing vulnerable version ranges. Trusted Publishing has expanded to support GitLab CI/CD, added an “only mode” that disables API‑token publishing, and blocks risky GitHub Actions triggers. Crate pages now display source lines of code (SLOC) via a background job, and a new pubtime field records each version’s publish date. The team also began an experimental migration of the site to a Svelte‑based frontend, aiming to modernize the UI while preserving existing functionality.
Sources: