Help catch internal-crate squatting attacks when adding a dependency

[epage]

Problem

Say a company has an internal registry and with an internal crate company-utils. If an attacker knows this and creates a malicious crate in crates.io with that name, people will pick it up when running cargo add and forgetting the --registry flag

Proposed Solution

Warn the user when a new registry dependency is added without --registry and the dependency name exists in one of the configured registries.Se

Notes

See also killercup/cargo-edit#451

[epage]

For typo squatting, see #10655

[kornelski]

edited: I'm not sure any more whether it's a problem that registries will learn about other package names. Use of a registry inherently requires a high level of trust, since the registry has effectively power to run arbitrary code on your machine. Making it safe to use untrusted registries would require protocol changes, and if that ever happens, that can tackle information disclosures too.

But for the sake of extra privacy and offline support, the check can be done (only) against the local cache. Users of private registries will usually already have their private crates' metadata cached from previous uses or via other private dependencies, so the check can be effective even if limited to only local cache. It's unfortunate it can't be 100% reliable, but I think some warning is better than none at all.