Querying for yanked crates via the local Cargo registry index

Apologies in advance if this is considered too basic a question for the "internals" forum, but it seems a bit tricky and so far I haven't found a good solution.

I'd like to add support to cargo-audit for warning users about yanked crates in their Cargo.lock, ala a similar feature in Cargo itself.

I'm aware this can be done easily enough via the crates.io HTTP API, and worst case that's an option. I'm curious, however, if there's a way this information can be easily obtained via the local copy of the crates.io registry index, i.e. the one in ~/.cargo/registry/index.

Specifically I'm looking for options which don't require pulling in all of cargo as a library dependency, which is to say if there's a particular cargo subcommand I can invoke/exec to obtain this information, that'd be great. Unfortunately, it does not seem like yank information is surfaced in cargo metadata.

The files in the index are just newline-separated lists of json blobs, and one of the fields is "yanked": true/false: https://github.com/rust-lang/crates.io-index/blob/master/3/l/log#L40. The checked-out index on the disk is a bare repository, so you'll need to use something like libgit2 or git-the-binary to grab the file.

1 Like

I started going down that route (cargo-audit already leverages the git2 crate to fetch/update the advisory database) and felt like I was reinventing some not-entirely-trivial cargo functionality.

If there aren't any better approaches available out-of-the-box via cargo as a subcommand it's something I can still consider.

That seems like a reasonable field to add to cargo-metadata's output but it doesn't appear to be in there right now.

crates-index has reinvented that part of Cargo already. It can read the existing bare repo, compute appropriate paths, and parse them.


Oh wow, that's exactly the sort of thing I was looking for! Thanks!