cargo-supply-chain
cargo-supply-chain copied to clipboard
Grab the publisher of the exact version used as dependency
By chance I came across this fact:
https://github.com/rust-lang/crates.io/blob/85bf66e511788523db925410dedc30cf91bb44d1/src/tasks/dump_db/dump-db.toml#L215
Apparently, the information about who published a particular crate version is publicly available in the data dumps. Although that might not have been intended by all crates.io staff.