Skip to content

feat: emit a warning when both package.publish and --index are specified #16268

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 18, 2025
Merged

feat: emit a warning when both package.publish and --index are specified #16268

merged 4 commits into from
Nov 18, 2025
+96 −20

Conversation

@motorailgun
Copy link
Contributor

@motorailgun motorailgun commented Nov 17, 2025

Partially adresses #16231.

What does this PR try to resolve?

cargo publish will fail, if --registry is passed and that index isn't included in package.publish in Cargo.toml. However, as described in linked issue, --index bypasses that check and may cause unexpected publication of packages.

This PR implements warning that is shown when --index and package.publish is set at the same time.

@rustbot rustbot added A-interacts-with-crates.io Area: interaction with registries Command-publish S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Nov 17, 2025
@rustbot
Copy link
Collaborator

rustbot commented Nov 17, 2025

r? @epage

rustbot has assigned @epage.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

@motorailgun motorailgun force-pushed the publish-restriction-bypass branch from d97bbc8 to d97621a Compare November 17, 2025 02:59
@epage
Copy link
Contributor

epage commented Nov 17, 2025

Note that we ask for commits to be atomic (https://doc.crates.io/contrib/process/working-on-cargo.html#submitting-a-pull-request). As an example of why this is useful, this PR extracts a method and adds a warning to it which takes more work for a reviewer to match things up to make sure nothing else changed unexpectedly and what the conditions for the warning are. Splitting this into two commits makes it more obvious.

It is also great if the test is added in its own commit before the warning, with it passing (so no warning shown). Then the commit that adds the warning updates the test. The diff then makes it very clear what changed.

@motorailgun
Copy link
Contributor Author

motorailgun commented Nov 17, 2025

Oops, that sounds very natural. Will fix it!

@motorailgun motorailgun force-pushed the publish-restriction-bypass branch from d97621a to 8e32885 Compare November 17, 2025 17:11
epage
epage reviewed Nov 17, 2025
View reviewed changes
epage
epage reviewed Nov 17, 2025
View reviewed changes
epage
epage reviewed Nov 17, 2025
View reviewed changes
src/cargo/ops/registry/publish.rs Outdated
Comment on lines 802 to 807
let opt_index_or_registry = opts.reg_or_index.clone();
let registry_is_specified_by_any_package = pkgs
.iter()
.any(|pkg| pkg.publish().as_ref().map(|v| v.len()).unwrap_or(0) > 0);

let res = match (opt_index_or_registry, registry_is_specified_by_any_package) {
Copy link
Contributor

@epage epage Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we match on registry_is_specified_by_any_package? Feels like it would have been cleaner to isolate the conditional to the branch where it mattered. With the new setup, readers have to figure out what is intentionally different and why while with an interior if, it will be clearer.

Copy link
Contributor Author

@motorailgun motorailgun Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I somehow thought it was a good idea. The code should look better now, including fix for the reviewed part below

epage
epage reviewed Nov 17, 2025
View reviewed changes
@motorailgun motorailgun force-pushed the publish-restriction-bypass branch 4 times, most recently from cb6f958 to 3684f52 Compare November 18, 2025 18:17
@motorailgun motorailgun force-pushed the publish-restriction-bypass branch from 3684f52 to d4a80f3 Compare November 18, 2025 18:28
@epage
Copy link
Contributor

epage commented Nov 18, 2025

Thanks! Makes your changes stand out a lot more

@epage epage enabled auto-merge November 18, 2025 19:02
@epage epage added this pull request to the merge queue Nov 18, 2025
Merged via the queue into rust-lang:master with commit 5c03433 Nov 18, 2025
26 checks passed
@rustbot rustbot removed the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Nov 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@epage epage epage approved these changes

Assignees

@epage epage

Labels

A-interacts-with-crates.io Area: interaction with registries Command-publish

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@motorailgun @rustbot @epage