Disclaimer: If you didn't see my profile description. I am a biologist. I have some computer science background, but not coding. I am publishing some cargo crates and other little repos to (hopefully) meaningfully contribute to open-source projects (tactfully, I hope) and rust in general with any extra claude credits I have available. I am trying to ensure that any contributions I make are actually helpful so any criticism or feedback of my approach would be greatly appreciated.
Compare two versions of a crate and flag capability changes. Detects when a crate update adds new capabilities such as network access, file system operations, environment variable reads, process spawning, or unsafe code.
cargo install cargo-behavior-diffcargo behavior-diff <CRATE> <OLD_VERSION> <NEW_VERSION>cargo behavior-diff serde 1.0.0 1.0.200| Category | Patterns |
|---|---|
| Network | std::net, TcpStream, UdpSocket, reqwest, hyper, ureq |
| File System | std::fs, File::create, fs::write, remove_file, remove_dir |
| Process | std::process, Command::new |
| Environment | std::env, env::var |
| Unsafe | unsafe {, unsafe fn |
- NONE - No new capabilities detected
- LOW - Minor new capabilities (e.g., environment variable access)
- MEDIUM - Significant new capabilities (e.g., network access or process spawning)
- HIGH - Critical new capabilities (e.g., unsafe code, or both network + process access, or 5+ new patterns)
- Downloads source tarballs for both versions from crates.io
- Scans all
.rsfiles for capability-sensitive patterns using text matching - Compares the capabilities found in each version
- Flags any NEW capabilities not present in the old version
- Outputs a colored report with risk assessment
0- No high-risk changes detected1- High-risk capability changes detected2- Error (download failure, invalid crate, etc.)
Licensed under either of
- Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT License (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.