[librsvg: 3/5] RELEASING.md - section that explains the Rust dependencies

[Federico Mena Quintero <federico src gnome org>]

commit 3f9268cd9212e478786bdfb06777c57c79b3dc59
Author: Federico Mena Quintero <federico gnome org>
Date:   Thu Mar 18 10:33:05 2021 -0600

    RELEASING.md - section that explains the Rust dependencies

 RELEASING.md | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
---
diff --git a/RELEASING.md b/RELEASING.md
index fed3bfe0..50cd2913 100644
--- a/RELEASING.md
+++ b/RELEASING.md
@@ -97,3 +97,24 @@ to do it or [ask the release team][release-team] to do it by filing an
 issue on their `GNOME/releng` project.
 
 [release-team]: https://gitlab.gnome.org/GNOME/releng/-/issues
+
+## Rust dependencies
+
+Release tarballs get generated with *vendored dependencies*, that is,
+the source code for all the crates that librsvg depends on gets bundled
+into the tarball itself.  It is important to keep these dependencies
+updated; you can do that regularly with the `cargo update` step listed
+in the checklist above.
+
+[`cargo-audit`][cargo-audit] is very useful to scan the list of
+dependencies for registered vulnerabilities in the [RustSec
+vulnerability database][rustsec].  Run it especially before making a
+new `x.y.0` release.
+
+Sometimes cargo-audit will report crates that are not vulnerable, but
+that are unmaintained.  Keep an eye of those; you may want to file
+bugs upstream to see if the crates are really unmaintained or if they
+should be substituted for something else.
+
+[cargo-audit]: https://github.com/RustSec/cargo-audit
+[rustsec]: https://rustsec.org/