If you're using VS Code then you can add `"rust-analyzer.check.command": "clippy...

maleldil · 2025-03-13T01:42:04 1741830124

Neovim:

    require("lspconfig").rust_analyzer.setup({
        settings = {
            ["rust-analyzer"] = {
                checkOnSave = {
                    command = "clippy",
                    allFeatures = true,
                },
            },
        },
    })

pabs3 · 2025-03-13T03:18:01 1741835881

You might want to reconsider use of rust-analyzer, it isn't safe to use on code you haven't written yourself.

https://rust-analyzer.github.io/book/security.html

swiftcoder · 2025-03-13T08:39:27 1741855167

> it isn't safe to use on code you haven't written yourself

Neither is cargo (nor npm, nor any other package manager, for that matter).

I'm not sure what value being that paranoid is buying you in the long run.

pabs3 · 2025-03-13T13:54:56 1741874096

Package managers are for running other people's code, I would not expect the same of static analysis tools, especially since they are of use while auditing other people's code before building/running it.

swiftcoder · 2025-03-14T10:57:31 1741949851

Cargo's threat model here is identical to that of rust analyser. If you trust your dependency tree sufficiently to run `cargo build`, then you trust it sufficiently to run rust analyser.

pabs3 · 2025-03-15T06:39:23 1742020763

Considering Cargo has build scripts, which are designed to run arbitrary code, that doesn't appear to be correct.

https://doc.rust-lang.org/cargo/reference/build-scripts.html

swiftcoder · 2025-03-16T09:33:28 1742117608

Rust analyser executes those exact same build scripts. This is the primary avenue for exploits in both pieces of software, and is called out explicitly in the page you originally linked.

pabs3 · 2025-03-24T22:36:21 1742855781

Yes, and that is my complaint.