https://github.com/chainguard-dev/cargobump

Rust tool to declaratively bump dependencies using cargo
https://github.com/chainguard-dev/cargobump

Last synced: 4 months ago
JSON representation

Rust tool to declaratively bump dependencies using cargo

• Host: GitHub
• URL: https://github.com/chainguard-dev/cargobump
• Owner: chainguard-dev
• License: apache-2.0
• Created: 2024-09-13T16:32:19.000Z (8 months ago)
• Default Branch: main
• Last Pushed: 2024-12-31T13:23:52.000Z (5 months ago)
• Last Synced: 2024-12-31T14:35:00.481Z (5 months ago)
• Language: Go
• Homepage:
• Size: 89.8 KB
• Stars: 2
• Watchers: 1
• Forks: 3
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# cargobump

Rust tool to declaratively bump dependencies using cargo.

# Usage

The idea is that there are some `packages` that should be applied to the upstream

Cargo.lock file. You can specify these via `--packages` flag, or via

`--bump-file`.

## Specifying Dependencies to be patched

You can specify the patches that should be applied two ways. They are mutually

exclusive, so you can only specify one of them at the time.

### --packages flag

You can specify patches via `--packages` flag by encoding them

(similarly to gobump) in the following format:

```shell

--packages=" "

```

### --bump-file flag

You can specify a yaml file that contains the patches, which is the preferred

way, because it's less error prone, and allows for inline comments to keep track

of which patches are for which CVEs.

An example yaml file looks like this:

```yaml

patches:

  # CVE-2023-34062

  - name: tokio

    version: 1.0.39

  # CVE-2023-5072

  - name: chrono

    version: "20231013"

```