You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Cargo does not report/warn/error when there is a discrepancy between the crate metadata located in the index, and the actual metadata of the crate package when downloaded from a registry.
When investigating EmbarkStudios/krates#46 I encountered a crate, specifically conv v0.3.3, where the index entry differs from the crate's manifest when downloaded from crates.io.
[package]name = "conv"version = "0.3.3"authors = ["Daniel Keep <daniel.keep@gmail.com>"]
description = "This crate provides a number of conversion traits with more specific semantics than those provided by 'as' or 'From'/'Into'."repository = "https://github.com/DanielKeep/rust-conv"documentation = "https://danielkeep.github.io/rust-conv/doc/conv/index.html"readme = "README.md"license = "MIT"keywords = ["from", "into", "conversion", "approximation"]
exclude = [
"scripts/*",
"update-docs.py",
]
[dependencies]custom_derive = "0.1.2"[dev-dependencies]quickcheck = "0.2.21, < 0.2.25"
Note that in the index entry, there are 2 features, default and std, but in the package source, those features don't exist, and indeed, when looking at the commit history the source repository, this commit is possibly the one that was actually published as the 0.3.4 version.
If we generate the cargo metadata for this crate, we see the discrepancies more clearly. (note that I snipped the targets field for brevity)
The most obvious is that while the resolved node has the default and std features enabled in the resolved node, the actual features map in the package metadata is empty, presumably because while the features are resolved via the index entry, the package metadata is read from the crate source entirely. This also accounts for why the winapi crate, which is in the index entry, isn't shown as a dev dependency in the package metadata.
I believe this shows there is (or was?) a bug in cargo publish where such a situation was allowed to happen, I don't know how exactly the index and the crate package could disagree like this, but considering conv 0.3.3 was published "over 6 years ago" it's possible (likely?!) this faulty publish behavior has been fixed at some point.
Steps
cargo init weird
cd weird
cargo add conv
cargo metadata --format-version 1 > md.json
Possible Solution(s)
The obvious solution for this particular case would be to fix the crate package in crates.io for the conv crate, but I am assuming that if there is one crate like this in the crates.io registry, there are probably more, hence the request for some kind of warning message or something from cargo to indicate that something is amiss.
Notes
I'm reporting this to cargo since to me this kind of conflict should be reported by cargo to the user in some way, and indicates at least a previous bug in cargo publish, but feel free to move this to crates.io or wherever makes the most sense.
Problem
Cargo does not report/warn/error when there is a discrepancy between the crate metadata located in the index, and the actual metadata of the crate package when downloaded from a registry.
When investigating EmbarkStudios/krates#46 I encountered a crate, specifically
conv v0.3.3
, where the index entry differs from the crate's manifest when downloaded from crates.io.Index entry
$HOME/.cargo/registry/index/github.com-1ecc6299db9ec823/.cache/co/nv/conv
Package source
$HOME/.cargo/registry/src/github.com-1ecc6299db9ec823/conv-0.3.3/Cargo.toml
Note that in the index entry, there are 2 features,
default
andstd
, but in the package source, those features don't exist, and indeed, when looking at the commit history the source repository, this commit is possibly the one that was actually published as the 0.3.4 version.If we generate the
cargo metadata
for this crate, we see the discrepancies more clearly. (note that I snipped thetargets
field for brevity)The most obvious is that while the resolved node has the
default
andstd
features enabled in the resolved node, the actualfeatures
map in the package metadata is empty, presumably because while the features are resolved via the index entry, the package metadata is read from the crate source entirely. This also accounts for why thewinapi
crate, which is in the index entry, isn't shown as adev
dependency in the package metadata.I believe this shows there is (or was?) a bug in
cargo publish
where such a situation was allowed to happen, I don't know how exactly the index and the crate package could disagree like this, but consideringconv 0.3.3
was published "over 6 years ago" it's possible (likely?!) this faulty publish behavior has been fixed at some point.Steps
cargo init weird
cd weird
cargo add conv
cargo metadata --format-version 1 > md.json
Possible Solution(s)
The obvious solution for this particular case would be to fix the crate package in crates.io for the
conv
crate, but I am assuming that if there is one crate like this in the crates.io registry, there are probably more, hence the request for some kind of warning message or something from cargo to indicate that something is amiss.Notes
I'm reporting this to cargo since to me this kind of conflict should be reported by cargo to the user in some way, and indicates at least a previous bug in
cargo publish
, but feel free to move this tocrates.io
or wherever makes the most sense.Version
The text was updated successfully, but these errors were encountered: