This would however have security implications, as malicious code could be injected upstream. That said, is a manual PR review likely to catch them anyway? Have existing dependencies been thoroughly reviewed?
Perhaps a delay is sufficient for significant issues to be identified by the wider community (but for them to be noticed/picked up by a reviewer, the upstream release would ideally need to be yanked or further updated—only possible if the upstream project maintainers are both amenable and still have access).
Some interesting ideas (focused around crates.io) in https://www.reddit.com/r/rust/comments/qduia7/how_can_we_make_sure_this_doesnt_happen_with/ (and similar discussions).
This would however have security implications, as malicious code could be injected upstream. That said, is a manual PR review likely to catch them anyway? Have existing dependencies been thoroughly reviewed?
Perhaps a delay is sufficient for significant issues to be identified by the wider community (but for them to be noticed/picked up by a reviewer, the upstream release would ideally need to be yanked or further updated—only possible if the upstream project maintainers are both amenable and still have access).
Some interesting ideas (focused around crates.io) in https://www.reddit.com/r/rust/comments/qduia7/how_can_we_make_sure_this_doesnt_happen_with/ (and similar discussions).