cargo icon indicating copy to clipboard operation
cargo copied to clipboard
verified publisher icon rust-lang

Limit `registry-index` dependency field to registry sources only

Open epage opened this issue 8 months ago • 2 comments

When publishing a package with a custom registry, Cargo resolves the dependency registry field to registry-index (#14500). However, registry-index is for internal purposes only and this is not intended as a means for people to bypass the need for .cargo/config.toml (see #12738 for that use case).

We should look into a way to close this hole to avoid people relying on it unintentionally.

epage avatar May 07 '25 17:05 epage

We could have the manifest parser error if the Source is not a Registry.

That might cause problems with the verify step though.

epage avatar May 07 '25 17:05 epage

In #16293, we found there are a lot of exceptions

  • registry sources
  • directory sources for vendoring registry sources
  • verification builds for .crate files

Might have missed some. To cover all of these cases, we were needing to make some intrusive changes that needed to interact in just the right way, making this brittle.

One proposal in that issue is to just better document the limited nature of this field.

epage avatar Dec 01 '25 17:12 epage