Skip to content

Limit registry-index dependency field to registry sources only #15503

New issue
New issue
Open
Open
Limit registry-index dependency field to registry sources only#15503
Labels
A-manifestArea: Cargo.toml issuesC-enhancementCategory: enhancementCommand-packageCommand-publishS-acceptedStatus: Issue or feature is accepted, and has a team member available to help mentor or review
@epage

Description

@epage
epage
opened on May 7, 2025
Contributor

When publishing a package with a custom registry, Cargo resolves the dependency registry field to registry-index (#14500). However, registry-index is for internal purposes only and this is not intended as a means for people to bypass the need for .cargo/config.toml (see #12738 for that use case).

We should look into a way to close this hole to avoid people relying on it unintentionally.

Activity

epage
added
Command-publish
Command-package
A-manifestArea: Cargo.toml issues
S-acceptedStatus: Issue or feature is accepted, and has a team member available to help mentor or review
C-enhancementCategory: enhancement
on May 7, 2025
epage

epage commented on May 7, 2025

@epage
epage
on May 7, 2025
ContributorAuthor

We could have the manifest parser error if the Source is not a Registry.

That might cause problems with the verify step though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    A-manifestArea: Cargo.toml issuesC-enhancementCategory: enhancementCommand-packageCommand-publishS-acceptedStatus: Issue or feature is accepted, and has a team member available to help mentor or review

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @epage

        Issue actions
          Limit `registry-index` dependency field to registry sources only · Issue #15503 · rust-lang/cargo