I saw a quote on another thread:
Note: even if you could prove that this didn't break any crates on crates.io through a crater run, it could still break code not on crates.io.
And it made me think of a possible idea to widen the net of crater/cargobomb. What if something indexed the Rust projects on GitHub (and GitLab/Bitbucket?) that weren't published on crates.io? Seems you could do something like look for the precence of
Cargo.toml in the root and/or a
language: rust. You'd want to prune out the duplicates that are published on crates.io, perhaps filtering out those that match any "Repository" listing in crates.io.
The advantage of this is you might have more coverage of "applications" rather than only libraries. I have a toy 2D game application on GitHub that would be such an example.
I'm not sure how you would do versioning of GitHub Rust projects unless they are doing tagging. You could use commits as pseudo releases.
It's likely, however, that the complexity of this is not worth the cost, but just thought I'd throw out the idea.