Cargo
cargo-unmaintained
Identifies unmaintained packages in Rust projects before they quietly become inherited risk.
View on GitHub
trailofbits/cargo-unmaintained
Best for
Catching dependency drift during review instead of after abandonment is obvious.
Surface
Cargo
Catalog group
Verify supply chains and enforce engineering policy
Repository
trailofbits/cargo-unmaintained
From the README
Find unmaintained packages in Rust projects cargo-unmaintained is similar to [cargo-audit]. However, cargo-unmaintained finds unmaintained packages automatically using heuristics, rather than rely on users to manually submit them to the [RustSec Advisory Database]. cargo-unmaintained defines an unmaintained package X as one that satisfies one of 1 through 3 below: 1. X's repository is archived (see [Notes] below).Read the full README on GitHub ↗
Related tools · Verify supply chains and enforce engineering policy
- rekor-monitor Transparency-log monitoring for Sigstore's Rekor so maintainers can watch for suspicious signing events.
- It-Depends Dependency-graph and SBOM builder for packages and arbitrary source repositories.
- Dylint Runs custom Rust lints from dynamic libraries rather than a single fixed lint set.
- semgrep-rules Public Semgrep queries developed during audits, research, and internal engineering work.
- codeql-queries Public CodeQL query packs used to express deeper code and data-flow policies.