Skip to content

chainguard-dev/cargobump

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
.chainguard
.chainguard
 
 
.github
.github
 
 
cmd/cargobump
cmd/cargobump
 
 
pkg
pkg
 
 
.gitignore
.gitignore
 
 
.golangci.yml
.golangci.yml
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

cargobump

Rust tool to declaratively bump dependencies using cargo.

Usage

The idea is that there are some packages that should be applied to the upstream Cargo.lock file. You can specify these via --packages flag, or via --bump-file.

Specifying Dependencies to be patched

You can specify the patches that should be applied two ways. They are mutually exclusive, so you can only specify one of them at the time.

--packages flag

You can specify patches via --packages flag by encoding them (similarly to gobump) in the following format:

--packages="<name@version[@scope[@type]]> <name...>"

--bump-file flag

You can specify a yaml file that contains the patches, which is the preferred way, because it's less error prone, and allows for inline comments to keep track of which patches are for which CVEs.

An example yaml file looks like this:

patches:
  # CVE-2023-34062
  - name: tokio
    version: 1.0.39
  # CVE-2023-5072
  - name: chrono
    version: "20231013"

About

Rust tool to declaratively bump dependencies using cargo

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 2

v0.0.2 Latest
Nov 22, 2024
+ 1 release

Contributors 3

  •  
  •  
  •  

Languages