cargo-yank(1)
NAME
cargo-yank --- Remove a pushed crate from the index
SYNOPSIS
cargo yank
[options] crate@version
cargo yank
[options] --version
version [crate]
DESCRIPTION
The yank command removes a previously published crate's version from the server's index. This command does not delete any data, and the crate will still be available for download via the registry's download link.
Cargo will not use a yanked version for any new project or checkout without a pre-existing lockfile, and will generate an error if there are no longer any compatible versions for your crate.
This command requires you to be authenticated with either the --token
option
or using cargo-login(1).
If the crate name is not specified, it will use the package name from the current directory.
How yank works
For example, the foo
crate published version 1.5.0
and another crate bar
declared a dependency on version foo = "1.5"
. Now foo
releases a new, but
not semver compatible, version 2.0.0
, and finds a critical issue with 1.5.0
.
If 1.5.0
is yanked, no new project or checkout without an existing lockfile
will be able to use crate bar
as it relies on 1.5
.
In this case, the maintainers of foo
should first publish a semver compatible
version such as 1.5.1
prior to yanking 1.5.0
so that bar
and all projects
that depend on bar
will continue to work.
As another example, consider a crate bar
with published versions 1.5.0
,
1.5.1
, 1.5.2
, 2.0.0
and 3.0.0
. The following table identifies the
versions cargo could use in the absence of a lockfile for different SemVer
requirements, following a given release being yanked:
Yanked Version / SemVer requirement | bar = "1.5.0" | bar = "=1.5.0" | bar = "2.0.0" |
---|---|---|---|
1.5.0 | Use either 1.5.1 or 1.5.2 | Return Error | Use 2.0.0 |
1.5.1 | Use either 1.5.0 or 1.5.2 | Use 1.5.0 | Use 2.0.0 |
2.0.0 | Use either 1.5.0 , 1.5.1 or 0.22.2 | Use 1.5.0 | Return Error |
When to yank
Crates should only be yanked in exceptional circumstances, for example, an accidental publish, an unintentional SemVer breakages, or a significantly broken and unusable crate. In the case of security vulnerabilities, RustSec is typically a less disruptive mechanism to inform users and encourage them to upgrade, and avoids the possibility of significant downstream disruption irrespective of susceptibility to the vulnerability in question.
A common workflow is to yank a crate having already published a semver compatible version, to reduce the probability of preventing dependent crates from compiling.
When addressing copyright, licensing, or personal data issues with a published crate, simply yanking it may not suffice. In such cases, contact the maintainers of the registry you used. For crates.io, refer to their policies and contact them at [email protected].
If credentials have been leaked, the recommended course of action is to revoke them immediately. Once a crate has been published, it is impossible to determine if the leaked credentials have been copied. Yanking the crate only prevents new users from downloading it, but cannot stop those who have already downloaded it from keeping or even spreading the leaked credentials.
OPTIONS
Yank Options
--vers
version--version
version- The version to yank or un-yank.
--undo
- Undo a yank, putting a version back into the index.
--token
token- API token to use when authenticating. This overrides the token stored in
the credentials file (which is created by cargo-login(1)).
Cargo config environment variables can be used to override the tokens stored in the credentials file. The token for crates.io may be specified with the
CARGO_REGISTRY_TOKEN
environment variable. Tokens for other registries may be specified with environment variables of the formCARGO_REGISTRIES_NAME_TOKEN
whereNAME
is the name of the registry in all capital letters. --index
index- The URL of the registry index to use.
--registry
registry- Name of the registry to use. Registry names are defined in Cargo config
files. If not specified, the default registry is used,
which is defined by the
registry.default
config key which defaults tocrates-io
.
Display Options
-v
--verbose
- Use verbose output. May be specified twice for “very verbose” output which
includes extra output such as dependency warnings and build script output.
May also be specified with the
term.verbose
config value. -q
--quiet
- Do not print cargo log messages.
May also be specified with the
term.quiet
config value. --color
when- Control when colored output is used. Valid values:
auto
(default): Automatically detect if color support is available on the terminal.always
: Always display colors.never
: Never display colors.
May also be specified with the
term.color
config value.
Common Options
+
toolchain- If Cargo has been installed with rustup, and the first argument to
cargo
begins with+
, it will be interpreted as a rustup toolchain name (such as+stable
or+nightly
). See the rustup documentation for more information about how toolchain overrides work. --config
KEY=VALUE or PATH- Overrides a Cargo configuration value. The argument should be in TOML syntax of
KEY=VALUE
, or provided as a path to an extra configuration file. This flag may be specified multiple times. See the command-line overrides section for more information. -C
PATH- Changes the current working directory before executing any specified operations. This affects
things like where cargo looks by default for the project manifest (
Cargo.toml
), as well as the directories searched for discovering.cargo/config.toml
, for example. This option must appear before the command name, for examplecargo -C path/to/my-project build
.This option is only available on the nightly channel and requires the
-Z unstable-options
flag to enable (see #10098). -h
--help
- Prints help information.
-Z
flag- Unstable (nightly-only) flags to Cargo. Run
cargo -Z help
for details.
ENVIRONMENT
See the reference for details on environment variables that Cargo reads.
EXIT STATUS
0
: Cargo succeeded.101
: Cargo failed to complete.
EXAMPLES
-
Yank a crate from the index:
cargo yank [email protected]