I think a binary allow_vulnerable = true is very dangerous. Cargo.toml cannot be modified afterwards and if a new vulnerability is discovered, the dependent crate isn’t necessarily immune against it.
Therefore, I propose to extend this scheme a little bit:
-
cargo advisoryshould not be boolean likecargo yank. I should be possible to have multiple advisories per crate. - Every advisory should have a unique identifier (can be internal to cargo or an external one like CVE or DWF).
- Dependencies can now be specified as:
[dependencies]
iron = { version = "0.4", allow_vulnerabilities = ["CVE-YYYY-XXXX"] }
EDIT: An automatically generated internal identifier is probably better to prevent collision.