Description
Problem
Supply chain attacks with malicious packages downloaded via dependencies or indirect dependencies are exploding in the NPM ecosystem.
Auditing of dependencies with tools like cargo crev and cargo vet seems necessary for packages with a high level of security requirement, however, those tools are not widely used yet, and directly auditing dependencies in small teams could be a task too demanding.
Proposed Solution
The proposal is an option for cargo update to update all dependencies up to a certain date in the past to avoid just released packages.
The rationale is that malicious packages are more likely to stay undetected near the release date but after a while they are spotted.
Notes
Example:
my project has in Cargo.toml
[dependencies]
coollib=0.1.0
And a Cargo.lock with the same version.
coollib 0.1.2 is released 30 days ago.
coollib 0.1.3 is released yesterday.
I would like to use something like:
cargo update --older 10d
And the Cargo.lock will update to coollib 0.1.2 because 0.1.3 is too recent