Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> In a recent analysis, Adam Harvey found that among the 999 most popular crates on crates.io, around 17% contained code that do not match their code repository.

Huh, how is this possible? Is the code not pulled from the repository? Why not?



Publishing doesn't go through GitHub or another forge, it's done from the local machine. Crates can contain generated code as well.


The most common reason is that a quick manual step is needed before publishing. Nothing malicious. Often it is just removing paths used during dev from Cargo.toml. Should it be automated? Sure, but that is extra work.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: