Apologies in advance if this is considered too basic a question for the "internals" forum, but it seems a bit tricky and so far I haven't found a good solution.
I'm aware this can be done easily enough via the crates.io HTTP API, and worst case that's an option. I'm curious, however, if there's a way this information can be easily obtained via the local copy of the crates.io registry index, i.e. the one in ~/.cargo/registry/index.
Specifically I'm looking for options which don't require pulling in all of cargo as a library dependency, which is to say if there's a particular cargo subcommand I can invoke/exec to obtain this information, that'd be great. Unfortunately, it does not seem like yank information is surfaced in cargo metadata.
The files in the index are just newline-separated lists of json blobs, and one of the fields is "yanked": true/false: https://github.com/rust-lang/crates.io-index/blob/master/3/l/log#L40. The checked-out index on the disk is a bare repository, so you'll need to use something like libgit2 or git-the-binary to grab the file.
I started going down that route (cargo-audit already leverages the git2 crate to fetch/update the advisory database) and felt like I was reinventing some not-entirely-trivial cargo functionality.
If there aren't any better approaches available out-of-the-box via cargo as a subcommand it's something I can still consider.