1CARGO-YANK(1) General Commands Manual CARGO-YANK(1)
2
6 cargo-yank — Remove a pushed crate from the index
7
9 cargo yank [options] crate@version
10 cargo yank [options] --version version [crate]
11
13 The yank command removes a previously published crate’s version from
14 the server’s index. This command does not delete any data, and the
15 crate will still be available for download via the registry’s download
16 link.
17 Cargo will not use a yanked version for any new project or checkout
19 without a pre-existing lockfile, and will generate an error if there
20 are no longer any compatible versions for your crate.
21 This command requires you to be authenticated with either the --token
23 option or using cargo-login(1).
24 If the crate name is not specified, it will use the package name from
26 the current directory.
27 How yank works
29 For example, the foo crate published version 1.5.0 and another crate
30 bar declared a dependency on version foo = "1.5". Now foo releases a
31 new, but not semver compatible, version 2.0.0, and finds a critical
32 issue with 1.5.0. If 1.5.0 is yanked, no new project or checkout
33 without an existing lockfile will be able to use crate bar as it relies
34 on 1.5.
35 In this case, the maintainers of foo should first publish a semver
37 compatible version such as 1.5.1 prior to yanking 1.5.0 so that bar and
38 all projects that depend on bar will continue to work.
39 As another example, consider a crate bar with published versions 1.5.0,
41 1.5.1, 1.5.2, 2.0.0 and 3.0.0. The following table identifies the
42 versions cargo could use in the absence of a lockfile for different
43 SemVer requirements, following a given release being yanked:
44 ┌─────────────────┬──────────────────┬────────────────┬───────────────┐
47 │Yanked Version / │ bar = "1.5.0" │ bar = "=1.5.0" │ bar = "2.0.0" │
48 │SemVer │ │ │ │
49 │requirement │ │ │ │
50 ├─────────────────┼──────────────────┼────────────────┼───────────────┤
51 │1.5.0 │ Use either 1.5.1 │ Return Error │ Use 2.0.0 │
52 │ │ or 1.5.2 │ │ │
53 ├─────────────────┼──────────────────┼────────────────┼───────────────┤
54 │1.5.1 │ Use either 1.5.0 │ Use 1.5.0 │ Use 2.0.0 │
55 │ │ or 1.5.2 │ │ │
56 ├─────────────────┼──────────────────┼────────────────┼───────────────┤
57 │2.0.0 │ Use either │ Use 1.5.0 │ Return Error │
58 │ │ 1.5.0, 1.5.1 or │ │ │
59 │ │ 1.5.2 │ │ │
60 └─────────────────┴──────────────────┴────────────────┴───────────────┘
61 When to yank
63 Crates should only be yanked in exceptional circumstances, for example,
64 an accidental publish, an unintentional SemVer breakages, or a
65 significantly broken and unusable crate. In the case of security
66 vulnerabilities, RustSec <https://rustsec.org/> is typically a less
67 disruptive mechanism to inform users and encourage them to upgrade, and
68 avoids the possibility of significant downstream disruption
69 irrespective of susceptibility to the vulnerability in question.
70 A common workflow is to yank a crate having already published a semver
72 compatible version, to reduce the probability of preventing dependent
73 crates from compiling.
74 When addressing copyright, licensing, or personal data issues with a
76 published crate, simply yanking it may not suffice. In such cases,
77 contact the maintainers of the registry you used. For crates.io, refer
78 to their policies <https://crates.io/policies> and contact them at
79 <help@crates.io>.
80 If credentials have been leaked, the recommended course of action is to
82 revoke them immediately. Once a crate has been published, it is
83 impossible to determine if the leaked credentials have been copied.
84 Yanking the crate only prevents new users from downloading it, but
85 cannot stop those who have already downloaded it from keeping or even
86 spreading the leaked credentials.
87
89 Yank Options
90 --vers version, --version version
91 The version to yank or un-yank.
92 --undo
94 Undo a yank, putting a version back into the index.
95 --token token
97 API token to use when authenticating. This overrides the token
98 stored in the credentials file (which is created by
99 cargo-login(1)).
100 Cargo config
102 <https://doc.rust-lang.org/cargo/reference/config.html> environment
103 variables can be used to override the tokens stored in the
104 credentials file. The token for crates.io may be specified with the
105 CARGO_REGISTRY_TOKEN environment variable. Tokens for other
106 registries may be specified with environment variables of the form
107 CARGO_REGISTRIES_NAME_TOKEN where NAME is the name of the registry
108 in all capital letters.
109 --index index
111 The URL of the registry index to use.
112 --registry registry
114 Name of the registry to use. Registry names are defined in Cargo
115 config files
116 <https://doc.rust-lang.org/cargo/reference/config.html>. If not
117 specified, the default registry is used, which is defined by the
118 registry.default config key which defaults to crates-io.
119 Display Options
121 -v, --verbose
122 Use verbose output. May be specified twice for “very verbose”
123 output which includes extra output such as dependency warnings and
124 build script output. May also be specified with the term.verbose
125 config value
126 <https://doc.rust-lang.org/cargo/reference/config.html>.
127 -q, --quiet
129 Do not print cargo log messages. May also be specified with the
130 term.quiet config value
131 <https://doc.rust-lang.org/cargo/reference/config.html>.
132 --color when
134 Control when colored output is used. Valid values:
135 • auto (default): Automatically detect if color support is
137 available on the terminal.
138 • always: Always display colors.
140 • never: Never display colors.
142 May also be specified with the term.color config value
144 <https://doc.rust-lang.org/cargo/reference/config.html>.
145 Common Options
147 +toolchain
148 If Cargo has been installed with rustup, and the first argument to
149 cargo begins with +, it will be interpreted as a rustup toolchain
150 name (such as +stable or +nightly). See the rustup documentation
151 <https://rust-lang.github.io/rustup/overrides.html> for more
152 information about how toolchain overrides work.
153 --config KEY=VALUE or PATH
155 Overrides a Cargo configuration value. The argument should be in
156 TOML syntax of KEY=VALUE, or provided as a path to an extra
157 configuration file. This flag may be specified multiple times. See
158 the command-line overrides section
159 <https://doc.rust-lang.org/cargo/reference/config.html#command-line-overrides>
160 for more information.
161 -C PATH
163 Changes the current working directory before executing any
164 specified operations. This affects things like where cargo looks by
165 default for the project manifest (Cargo.toml), as well as the
166 directories searched for discovering .cargo/config.toml, for
167 example. This option must appear before the command name, for
168 example cargo -C path/to/my-project build.
169 This option is only available on the nightly channel
171 <https://doc.rust-lang.org/book/appendix-07-nightly-rust.html> and
172 requires the -Z unstable-options flag to enable (see #10098
173 <https://github.com/rust-lang/cargo/issues/10098>).
174 -h, --help
176 Prints help information.
177 -Z flag
179 Unstable (nightly-only) flags to Cargo. Run cargo -Z help for
180 details.
181
183 See the reference
184 <https://doc.rust-lang.org/cargo/reference/environment-variables.html>
185 for details on environment variables that Cargo reads.
186
188 • 0: Cargo succeeded.
189 • 101: Cargo failed to complete.
191
193 1. Yank a crate from the index:
194 cargo yank foo@1.0.7
196
198 cargo(1), cargo-login(1), cargo-publish(1)
199 CARGO-YANK(1)