Everyone who cares about supply-chain attacks is supposed review their dependencies. But if everyone reviews all of their dependencies from scratch, that’s a lot of duplicated work. crev allows recording “I have reviewed this, and it’s good/bad” and sharing this information with others.

From the readme

• warn you about untrustworthy crates and security vulnerabilities
• display useful metrics about your dependencies
• help you identify dependency-bloat
• allow you to review most suspicious dependencies and publish your findings,
• use reviews produced by other users
• increase trustworthiness of your own code
• build a web of trust of other reputable users to help verify the code you use

It will be interesting to see how cargo vet fits into this space once it’s announced officially.

Previous discussion: here.