Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False-positive yank report if a crate is in a private registry, but same-named crate from public registry was yanked #528

Closed
Veetaha opened this issue Jul 13, 2023 · 2 comments
Closed

False-positive yank report if a crate is in a private registry, but same-named crate from public registry was yanked #528

Veetaha opened this issue Jul 13, 2023 · 2 comments
Labels
bug Something isn't working

Comments

@Veetaha
Copy link
Contributor

Veetaha commented Jul 13, 2023
edited
Loading

Describe the bug
This is dumb, but this actually happened with us. I won't disclose the name of the crate we have in our particular use case, but suppose it's named foo. We have it at the latest version x.y.z in our private crates registry. However, the same-named crate foo exists on crates.io and its version x.y.z was yanked.

To Reproduce
Steps to reproduce the behavior:

  1. Publisn a crate with the same name and version as some existing crate on crates.io. For example, take syn v2.0.19, which is yanked.
  2. Add this new crate from your private registry to another crate as a dependency. In our case, we still use the git-based index (see the offtopic section at the bottom of the issue). We have a config like this: 
    [registries]
private = { index = "https://dl.cloudsmith.io/basic/redacted-org/redacted-repo/cargo/index.git" }
  3. Now run cargo deny check
  4. You'll see an error saying that the crate from the private registry was yanked

Expected behavior
No "yanked crate" advisory should be reported, because the crate comes from our private registry, and it is different from the same-named crate on crates.io

Screenshots
Here is the redacted cargo-deny output:

error[yanked]: detected yanked crate
    ┌─ /home/runner/work/path/to/repo/Cargo.lock:627:1
    │
627 │ foo x.y.z registry+https://dl.cloudsmith.io/basic/redacted-org/redacted-repo/cargo/index.git
    │ ----------------------------------------------------------------------------------------- yanked version

Offtopic
I know Embark uses a private crates registry as well. I wonder if you still sit on a git-based registry index? We can't use the sparse crates registry index because it doesn't support auth tokens. Cloudsmith, for example still provides a way to use the sparse registry, but the auth token in this case must be part of the registry index URL, which in turn means this URL becomes part of Cargo.lock and therefore the secret auth token needs to be committed into source control. This is because the issue rust-lang/cargo#10474 is not done. So.. I just wanted to ask wether it also blocks your migration to spare registry index.
@Veetaha Veetaha added the bug Something isn't working label Jul 13, 2023
@Veetaha Veetaha changed the title False-positively yank report if a crate is in a private registry, but same-named crate from public registry was yanked False-positive yank report if a crate is in a private registry, but same-named crate from public registry was yanked Jul 13, 2023
@Jake-Shadle
Copy link
Member

This should have been fixed in #502, are you using a version older than 0.13.8?

@Veetaha
Copy link
Contributor Author

Veetaha commented Jul 13, 2023

Oh, what a coincidence. We've been using 0.13.1 version on CI, and I've been using 0.13.7 locally. I've just updated cargo-deny and it works.

Thank you!

@Veetaha Veetaha closed this as completed Jul 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Jake-Shadle @Veetaha