Keep your dependencies up-to-date

Overview

Deps.rs - Dependency status at a glance

dependency status GitHub license

A screenshot showing the deps.rs status of the libc crate

Deps.rs is a service that shows you at a glance if any of your dependencies are out of date or insecure. This works by comparing the dependencies in a project's Cargo.toml to the latest versions in the crates.io database. For security-related information, we query the RustSec Security Advisory Database.

We currently support projects and crates hosted on crates.io, Github, Gitlab and Bitbucket. To analyze the state of your dependencies you can use the following URLs:

  • for projects on crates.io: https://deps.rs/crate/<NAME>
  • for projects on Github, Gitlab or Bitbucket: https://deps.rs/repo/<HOSTER>/<USER>/<REPO> (where <HOSTER> is either github, gitlab or bitbucket)

On the analysis page, you will also find the markdown code to include a fancy badge in your project README so visitors (and you) can see at a glance if your dependencies are still up to date!

Contributing

We are always looking for help from the community! Feel like a feature is missing? Found a bug? Open an issue!

Do you want to contribute? Then browse the list of open issues and ask if you can take care of it.

Building the project

To get started on the project simply clone the repository and run the build:

git clone https://github.com/deps-rs/deps.rs
cd deps.rs
cargo run

The started development server will listen on port 8080 on localhost, so you just have to point your browser to http://localhost:8080 to see if it works.

Copyright and License

Copyright 2018 Sam Rijs and Contributors

Licensed under the Apache License, Version 2.0 (the "License"). You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Comments
  • Status of this project

    Status of this project

    Hey there!

    First of all I want to thank you for the enormous work you did for the community with this project! I love deps.rs and am using it quite often as a dashboard to visualize the dependency states of my or other projects.

    But I came to notice that this project seems to be somewhat unmaintained right now - which is totally fine, everybody shifts their attention at one point or another to a new project or is unable to find the time to take care of the maintenance! But it would be a bummer to leave this out in the wild to rot. Would you consider opening the project up to the community or a volunteer - should one be found - to take this over?

    I'm not saying that this specific person should be me (I'm not sure if I have the time required at hand) but it would be cool if the project would live on.

    maintenance 
    opened by Feliix42 19
  • Internal communication

    Internal communication

    Now that a new team is forming to maintain the project I was wondering if we want to use some external service for communication to have a platform to discuss possible changes or ideas. What do you think about this? Would that make sense or do you think communication using issues & PRs is enough?

    As for possible communication channels I can think of (in the order I prefer them):

    • Matrix (easy to use and thanks to federation you probably don't need to make an account specifically for this if you already have one)
    • Discord
    • gitter.im (kind of dated by now but still preferred by some people)
    • Mailing lists (just don't please)
    maintenance 
    opened by Feliix42 15
  • Complains about CVE for old version

    Complains about CVE for old version

    Thanks to #96 I can now see what's going on in my cargo-udeps crate's report. Apparently it complains about CVE-2019-16760 which affects cargo versions 0.26.0 and below, but versions above are fixed. My cargo-udeps tool requires cargo versions ^0.50.0, so would never use 0.26.0 or below.

    I guess the cause for this false positive is because cargo versioning is different from rust versioning. For rust version 1.n.0, the corresponding cargo version is 0.{n+1}.0. The CVE apparently expresses the bug in terms of the rust version, not the cargo version. Of course 0.27.0 or even 0.50.0 is below 1.27.0.

    I'm not sure whether this is a bug with the rustsec database or with deps.rs. Pinging @tarcieri and @Shnatsel just in case.

    opened by est31 14
  • To move or not to move deps.rs to deps.rm.rs (decide before 27/01/2021)

    To move or not to move deps.rs to deps.rm.rs (decide before 27/01/2021)

    As everybody knows already from #40, the project will now be maintained by everybody who wants.

    I proposed myself to host it on deps.rm.rs but we could also take deps.rs. Please note that the price will be around $34. I don't personally want to pay for it by myself but I would agree on sharing the cost.

    Please leave a comment if you prefer to keep deps.rs and pay for it or if it is okay to move it to deps.rm.rs.

    (rm.rs is owned by myself. I started recently using it for https://yewprint.rm.rs)

    maintenance 
    opened by cecton 13
  • Site Not Showing Latest Versions

    Site Not Showing Latest Versions

    Hi there,

    The deps.rs site doesn't seem to be picking up new package releases (or at least some of them). For example, once_cell is coming up 1.9.0 rather than 1.10.0, and deno is showing 1.19.0 instead of 1.19.2.

    Maybe the server process needs a restart?

    opened by joshstoik1 10
  • CI/CD

    CI/CD

    We've had a good experience with actix-web using GitHub Actions but I see there's a travis config here already.

    Lets spec out the goals for the CI, talking points:

    • [ ] security audit
    • [ ] tests
    • [ ] deployments (stagings/prod)
    • [ ] other
    infrastructure tracking 
    opened by robjtede 10
  • Failed to analyze repository `lingua`

    Failed to analyze repository `lingua`

    I've just released the new version 1.3.3 of my crate lingua. Deps.rs suddenly does not work anymore. In the past, there was never a problem with analyzing the dependencies and showing the correct badge in the README of the project. Can you tell what's wrong? Thank you very much.

    https://github.com/pemistahl/lingua-rs

    https://deps.rs/crate/lingua/1.3.3

    opened by pemistahl 7
  • Extend dependency status box to report more issues

    Extend dependency status box to report more issues

    I noticed that the dependency issue box presented at a project's status page may sometimes not present the most important information. In the example below, the project has 3 non-dev dependencies outdated, yet this box only reported the outdated dev dependencies.

    Screenshot_2021-10-12_11-06-06

    As such, I propose with this PR to extend this box to also provide information about outdated main dependencies, in a way which does not occlude the other kinds of issues. I also fixed pluralization, so that a single bad dependency appears in its singular form.

    Screenshot_2021-10-12_16-04-35

    Summary:

    • replace render_dev_dependency_box with an extended render_dependency_box
      • reports insecure dev dependencies, outdated main dependencies, and outdated dev dependencies
      • handle pluralization in dependency count message
    • change methods in AnalyzeDependenciesOutcome
      • add count_outdated
      • remove any_dev_issues, no longer used
    • remove AnalyzedDependencies::any_dev_issues, no longer used
    enhancement 
    opened by Enet4 7
  • image dep shows as insecure, but the crate is not insecure

    image dep shows as insecure, but the crate is not insecure

    Data seems inconsistent:

    https://deps.rs/repo/github/wez/wezterm and search for image; it shows the following:

    image | ^0.23 | 0.23.12 | insecure
    

    clicking through to image:

    https://deps.rs/crate/image/0.23.12

    everything there is green.

    opened by wez 7
  • Modernize

    Modernize

    Bumps most dependencies to their latest versions and modernizes code to 2018 edition.

    A non-goal of this PR is to update futures dependent crates to 0.3 ecosystem. I'm part way through doing it but it is about as much work to do as this PR.

    This PR seems to retain the same capabilities of current deps.rs deployment. It's also clear that many more tests are needed.

    Supercedes #42 & #31

    opened by robjtede 6
  • Allow to retrieve badge for latest version of crate

    Allow to retrieve badge for latest version of crate

    For example https://deps.rs/crate/yukikaze would get me latest crate version While https://deps.rs/crate/yukikaze/status.svg would get me nowhere so user would need to always point to particular version which may not be convenient

    enhancement 
    opened by DoumanAsh 6
  • Support workspace inheritance

    Support workspace inheritance

    Currently, inherited dependencies get ignored. For example, the blackbox and blackbox_decode crates in https://github.com/wetheredge/blackbox inherit tracing from the root, but it is missing from https://deps.rs/repo/github/wetheredge/blackbox.

    Docs:

    • https://doc.rust-lang.org/cargo/reference/workspaces.html#the-dependencies-table
    • https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#inheriting-a-dependency-from-a-workspace

    I might be able to take a stab at this in the next few days if it isn't already being worked on.

    feature 
    opened by wetheredge 0
  • Yanked version ignored too much

    Yanked version ignored too much

    Related to: https://github.com/rust-disk-partition-management/gptman/pull/82#discussion_r873071638

    We noticed that yanked dependencies do not seem to be reported at all. They're not necessarily vulnerabilities but they should be reported at least as outdated.

    This can be observed in commit https://github.com/rust-disk-partition-management/gptman/commit/d7ca717f0a749e82dd9cad5f8c69efb1c6cb169c

    It is important to note that:

    1. crossbeam-utils is not a direct dependency of the project
    2. it's only pulled for the binary of this crate and not the library

    Possibly related to #109

    opened by cecton 0
  • Support multi-workspace repositories

    Support multi-workspace repositories

    In RustCrypto we have repositories with mixed editions (e.g. see the traits repo). To allow testing of MSRV we have temporarily moved 2021 edition crates into their own workspaces (e.g. see the kem crate). Unfortunately, deps.rs analyzes only the root workspace, so such crates are getting skipped as can be seen on the relevant page: https://deps.rs/repo/github/RustCrypto/traits

    opened by newpavlov 1
  • allow site domain name as synonym/specification of hosting service

    allow site domain name as synonym/specification of hosting service

    Right now, the badge url requires ../github/... Would like it to take ../github.com/.. as well. This is especially important for gitlab, where for example gitlab.freedesktop.org is not currently supported as far as I know.

    opened by BartMassey 1
Owner
deps.rs
Keep your dependencies up-to-date
deps.rs
This article is about the unsound api which I found in owning_ref. Owning_ref is a library that has 11 million all-time downloads and 60 reverse dependencies.

Unsoundness in owning_ref This article is about the unsound api which I found in owning_ref. Owning_ref is a library that has 11 million all-time down

Noam Ta Shma 20 Aug 3, 2022
Twidge is a fresh approach to productivity. It integrates with your workflow and allows you to be your most productive self.

Twidge A productivity app which is an extension to your mind Twidge is a cross platform productivity app, powered by rust, tauri, prisma-client-rust T

Twidge 187 Jun 28, 2023
Simple timer for your terminal

consoleTimer Simple timer that allows you to initiate countdown from N seconds. Usage: consoletimer [time in seconds] consoletimer [time in minutes]m

Arthur 20 Apr 4, 2022
🌲 Open the current remote repository in your browser

gitweb Some of the flags and options are subject to change in the future. Ideas are welcome. Ideas are bulletproof (V). gitweb is a command line inter

Yoann Fleury 26 Dec 17, 2022
Gather metadata about your S3 buckets

S3 Meta This tool has been migrated into s3-utils, please use that crate for future updates. A simple tool to gather data about an S3 bucket (or subse

Isaac Whitfield 48 Dec 27, 2022
A nifty commandline tool to manage your workstation.

workstation It's a nifty commandline rust tool to make you sit slightly away from your screen by blacking out the screen if you come too close and loc

Amar Lakshya (desi_tux) 16 May 6, 2022
Cross-platform bookmarks manager for your shell

shellmark: bookmark manager for shell THIS IS AN EARLY ALPHA. It works for me, but requires better UX and more polish. shellmark is a cross-platform b

Artem Pyanykh 25 Nov 10, 2022
Czkawka is a simple, fast and easy to use app to remove unnecessary files from your computer.

Multi functional app to find duplicates, empty folders, similar images etc.

Rafał Mikrut 9.2k Jan 4, 2023
🦸‍♂️ Recast migrates your old extensions to AndroidX, making them compatible with the latest version of Kodular.

Recast Recast helps make your old extensions compatible with Kodular Creator version 1.5.0 or above. Prerequisites To use Recast, you need to have Jav

Shreyash Saitwal 13 Dec 28, 2022
Add nice user-facing diagnostics to your errors without being weird about it.

thisdiagnostic is a Rust library for adding rich diagnostic metadata to errors, for some really fancy and customizable error reporting!

Kat Marchán 14 Feb 2, 2022
Combine internet connections, increase your download speed

dispatch A SOCKS proxy that balances traffic between network interfaces. Should work on macOS, Windows, and Linux. Only tested on macOS for now. This

Alexandre Kirszenberg 90 Jan 7, 2023
miette is a diagnostic library for Rust. It includes a series of traits/protocols that allow you to hook into its error reporting facilities, and even write your own error reports!

miette is a diagnostic library for Rust. It includes a series of traits/protocols that allow you to hook into its error reporting facilities, and even write your own error reports!

Kat Marchán 1.2k Jan 1, 2023
Awtomate your 🦀 microservices with awto

awto Awtomate your ?? microservices with awto What is awto? Awto treats your rust project as the source of truth for microservices, and generates data

Awto 22 Nov 4, 2022
Clean up the lines of files in your code repository

lineman Clean up the lines of files in your code repository NOTE: While lineman does have tests in place to ensure it operates in a specific way, I st

Joseph T. Lyons 4 Nov 25, 2021
A service for helping your cat find other cats

Check back later! Discord Self-hosting This is an open-source service! Feel free to host you own private instances. All we ask is you credit us and li

ibx34 4 Oct 31, 2021
Helps positioning your tauri windows.

Tauri plugin positioner A plugin for tauri that helps positioning you windows at well known locations. Install Rust [dependencies] tauri-plugin-positi

Jonas Kruckenberg 42 Jan 5, 2023
Ditch your status bar for some snazzy desktop notifications.

citron Ditch your panel for some snazzy desktop notifications. citron is: a non-intrusive alternative to status bars. on-demand, i.e. does not run in

Aziz Ben Ali 1 Jan 11, 2022
Licensebat - 🔐⛵ Effortless dependency compliance with your license policies

Licensebat All docs here are temporary. Thougths For the moment, it seems it makes sense to have all the collectors sharing the same trait. That doesn

Licensebat 19 Dec 28, 2022
Dr-dotnet - 🩺 One-click diagnosis of your dotnet applications. Works both locally or remotely as a web service

Dr-dotnet - ?? One-click diagnosis of your dotnet applications. Works both locally or remotely as a web service. Based on the lowest level dotnet profiling APIs and using the rust language ?? for a minimal runtime penalty.

Olivier Giniaux 25 Dec 17, 2022