Help catch internal-crate squatting attacks when adding a dependency #10656
Labels
C-feature-request
Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted`
Command-add
S-triage
Status: This issue is waiting on initial triage.
Problem
Say a company has an internal registry and with an internal crate
company-utils
. If an attacker knows this and creates a malicious crate in crates.io with that name, people will pick it up when runningcargo add
and forgetting the--registry
flagProposed Solution
Warn the user when a new registry dependency is added without
--registry
and the dependency name exists in one of the configured registries.SeNotes
See also killercup/cargo-edit#451
The text was updated successfully, but these errors were encountered: