Open
Description
cargo audit is the rust 'tell me if any of the things I am using have CVEs' tool. It's a little awkward to have this run in TC; because one day everything will break because of external purposes and we may not be able or want to fix it on e.g. -release/-esr.
But it fits perfectly in with Updatebot - when a new issue occurs, we can file a bug, developers can investigate it and decide if they want to do something about it or not, and then fix or wontfix the bug. And Updatebot won't re-file a new issue for an existing RUSTSEC advisory.