The chances of cargo update pulling in some updated dependency which is now compromised with malware is low. The chances of a compromised dependency getting past `cargo-audit` are low. The chances of compromised code causing measurable harm are low. The repercussions for me publishing compromised code are low. The effort I would have to expend to manually check the code is high.So yes, I `cargo update`.
jcgrillo|1 year ago
[1] https://news.ycombinator.com/item?id=39832559