Question 1

How do I handle a vulnerability in a crate that uses `unsafe` but I don't call the unsafe path?

Accepted Answer

Patch it anyway. Unsafe bugs are subtle — tokio-util had a vulnerability where memory leaked across task boundaries, and most users had no idea they were hitting the affected code path. Future code changes, compiler optimizations, or upstream updates could expose you. Run cargo-geiger to understand your unsafe surface, but don't use "I don't call that path" as a reason to defer patching.

Question 2

cargo-deny vs cargo audit — do I need both?

Accepted Answer

They serve different purposes. cargo audit checks for known vulnerabilities. cargo-deny enforces policies: license compliance, duplicate crate detection, banned crates, and source restrictions. Use both in CI. The combo catches more than either alone.

Question 3

A crate I depend on is unmaintained. RustSec flagged it as "informational." Is that urgent?

Accepted Answer

Not immediately, but it's a ticking clock. Unmaintained crates won't receive vulnerability patches. Check if there's an actively maintained fork (RustSec advisories usually link one). If not, plan a migration before a real vulnerability hits. This is one of RustSec's best features — no other ecosystem's advisory database tracks maintenance status this well.

Question 4

How does GeekWala handle crates with git sources instead of crates.io?

Accepted Answer

GeekWala tracks vulnerabilities by commit hash and version tag. For git dependencies, the exact commit in your Cargo.lock is matched against advisory affected-version ranges. This works well when the git repo tags releases; for untagged commits, matching is best-effort based on the nearest version tag.

Question 5

My project mixes Rust and TypeScript (e.g., Tauri app). Can I scan both?

Accepted Answer

Yes — that's where GeekWala's multi-ecosystem support helps most. Upload your Cargo.lock for the Rust backend and package-lock.json for the frontend. You get unified prioritization across both, sorted by EPSS and KEV rather than comparing apples (npm audit severity) to oranges (cargo audit severity).

Question 6

Does Rust have a supply chain security story?

Accepted Answer

Rust's supply chain is stronger than npm but weaker than curated ecosystems. Key practices:
- cargo deny to review and audit dependencies
- Dependency review in pull requests
- cargo-sbom to track dependencies for compliance
- Regular geiger scans to monitor unsafe code trends

When you scan your Rust dependencies, GeekWala's vulnerability integration helps you catch supply chain attacks early with full EPSS and CISA KEV context.

For a side-by-side comparison of all ecosystem scanners, see 7 Dependency Vulnerability Scanners Compared.