This security flaw affects not only projects using async-tar but also tokio-tar, an extremely popular fork with over 7 million downloads on crates.io that has also been abandoned.

In reply to @hexa:lossy.network
that's a very exciting idea for a "sidequest"

I'm confused. And a Rust (ecosystem) beginner. Is there a way to run cargo udeps on NixOS on a project that uses the stable toolchain? And should I use rustup or not use rustup?

I've been developing with a direnv+flake that does pkgs.rustPlatform.buildRustPackage and for devShells takes inputsFrom that derivation. And setting RUST_SRC_PATH and removing any $HOME/.cargo/bin entries from PATH in my shellHook—not sure if the latter is right or not, and I also don't 100% remember why I've done it, but I would assume any dynamically linked binaries there to rot when the store gets GCd.

For cargo udeps, I'm told I should use cargo +nightly udeps, which tells me to use rustup, so I try rustup run nightly cargo udeps. I suspect that fails because it invokes rustc, expecting it to be the nightly toolchain rustc, or something? It outputs several error: the option Z is only accepted on the nightly compiler.

I noticed there's also a cargo-udeps packaged in nixpkgs (how if it requires nightly??), but nix-shell -p cargo-udeps --command "cargo udeps" outputs the same errors.

I'm confused. And a Rust (ecosystem) beginner. Is there a way to run cargo udeps on NixOS on a project that uses the stable toolchain? And should I use rustup or not use rustup?

I've been developing with a direnv+flake that does pkgs.rustPlatform.buildRustPackage and for devShells takes inputsFrom that derivation. And setting RUST_SRC_PATH and removing any $HOME/.cargo/bin entries from PATH in my shellHook—not sure if the latter is right or not, and I also don't 100% remember why I've done it, but I would assume any dynamically linked binaries there to rot when the store gets GCd.

For cargo udeps, I'm told I should use cargo +nightly udeps, which tells me to use rustup, so I try rustup run nightly cargo udeps. I suspect that fails because it invokes rustc, expecting it to be the nightly toolchain rustc, or something? It outputs several error: the option \Z` is only accepted on the nightly compiler`.

I noticed there's also a cargo-udeps packaged in nixpkgs (how if it requires nightly??), but nix-shell -p cargo-udeps --command "cargo udeps" outputs the same errors.

I'm confused. And a Rust (ecosystem) beginner. Is there a way to run cargo udeps on NixOS on a project that uses the stable toolchain? And should I use rustup or not use rustup?

I've been developing with a direnv+flake that does pkgs.rustPlatform.buildRustPackage and for devShells takes inputsFrom that derivation. And setting RUST_SRC_PATH and removing any $HOME/.cargo/bin entries from PATH in my shellHook—not sure if the latter is right or not, and I also don't 100% remember why I've done it, but I would assume any dynamically linked binaries there to rot when the store gets GCd.

For cargo udeps, I'm told I should use cargo +nightly udeps, which tells me to use rustup, so I try rustup run nightly cargo udeps. I suspect that fails because it invokes rustc, expecting it to be the nightly toolchain rustc, or something? It outputs several error: the option `Z` is only accepted on the nightly compiler.

I noticed there's also a cargo-udeps packaged in nixpkgs (how if it requires nightly??), but nix-shell -p cargo-udeps --command "cargo udeps" outputs the same errors.