Summary
Cargo.lock is listed in .gitignore, but this crate produces an executable binary (src/main.rs). The Rust project recommends committing Cargo.lock for binary crates to guarantee reproducible builds.
Category
Dependency
Severity
Medium
Location
- File:
.gitignore
- Line(s): ~11 (
Cargo.lock entry)
Details
The official Rust guidance is:
- Library crates:
.gitignore Cargo.lock (consumers control versions)
- Binary crates: commit Cargo.lock (reproducible builds for deployments)
Since RUSTScrapling has src/main.rs and is deployed/run as a CLI tool, omitting Cargo.lock means:
- Different developers may build with different transitive dependency versions
- CI builds are non-reproducible — a upstream dependency bump can silently break the build
cargo audit cannot be run in CI without the lockfile
The CI workflow currently caches by hashFiles('**/Cargo.lock') — but since Cargo.lock is never committed, this cache key is always a miss.
Suggested Fix
Remove Cargo.lock from .gitignore and commit the file:
# Remove from .gitignore
sed -i '/^Cargo.lock$/d' .gitignore
# Stage and commit
git add Cargo.lock .gitignore
git commit -m "chore: commit Cargo.lock for reproducible binary builds"
Effort Estimate
5 min
Automated finding by repo-health-agent v1.0
Summary
Cargo.lockis listed in.gitignore, but this crate produces an executable binary (src/main.rs). The Rust project recommends committingCargo.lockfor binary crates to guarantee reproducible builds.Category
Dependency
Severity
Medium
Location
.gitignoreCargo.lockentry)Details
The official Rust guidance is:
.gitignoreCargo.lock (consumers control versions)Since
RUSTScraplinghassrc/main.rsand is deployed/run as a CLI tool, omitting Cargo.lock means:cargo auditcannot be run in CI without the lockfileThe CI workflow currently caches by
hashFiles('**/Cargo.lock')— but since Cargo.lock is never committed, this cache key is always a miss.Suggested Fix
Remove
Cargo.lockfrom.gitignoreand commit the file:Effort Estimate
5 min
Automated finding by repo-health-agent v1.0