The `[hints]` table in a `Cargo.toml` manifest provides optional
information that Cargo can use for building the package, and will use
even when using the package as a dependency. All hints can be safely
ignored, and Cargo only warns about unknown hints, but does not error.
This allows packages to use hints without depending on new Cargo.
Add a `mostly-unused` hint, which allows a package to hint that most
users of the package will not use most of its items. This is useful for
improving the build performance of crates with large dependencies.
Crates can override this hint using `hint-mostly-unused = false` in
their profile for a dependency.
These tests show what prior versions of Cargo will do with hints.
The subsequent addition of support for hints will modify these tests to
reflect the corresponding changes to Cargo.
Hi Everyone!
This is PR for the implementation of the first milestone of [GSoC
Project : Build Script
Delegation](https://summerofcode.withgoogle.com/programs/2025/projects/nUt4PdAA)
This will provide actual implementation for #15630
### What does this PR try to resolve?
Now, multiple build scripts are parsed, this PR aims to implement the
functioning the feature. This PR will allow users to use multiple build
scripts, and is backward compatible with single script as well as
boolean values.
**Motivation :** This will help users to maintain separate smaller and
cleaner build scripts instead of one large build script. This is also
necessary for build script delegation.
Deferred
- Accessing each build script's `OUT_DIR`: This will be handled in a
follow up PR. For now, each build script writes to its own `OUT_DIR` and
`OUT_DIR` for the regular build targets is set to the build script with
the **lexicographically largest** name..
- User control over which build script wins in a conflict. This will be
handled in a follow up PR. If two build scripts write to the same env
variable, which gets applied to the binary? Currently, its the build
script with the **lexicographically largest** name. This makes it
deterministic. With some futzing, users can control this for now.
However, with build script delegation, users won't be able to control
this. We likely want it based off of the order the user assigns into the
build script array.
- Something about linking a C library is actually preferring
**lexicographically smallest** name. We should handle conflicts
consistently. We need to dig into what parts are doing it based on
smallest and make sure that whatever priority scheme we use for env
variables applies here as well.
### How to test and review this PR?
There is a feature gate `multiple-build-scripts` that can be passed via
`cargo-features` in `Cargo.toml`. So, you have to add
```toml
cargo-features = ["multiple-build-scripts"]
```
Preferably on the top of the `Cargo.toml` and use nightly toolchain to
use the feature
### What does this PR try to resolve?
For numbers, see https://epage.github.io/blog/2025/07/toml-09/
Further areas for improvement:
- Enable `fast_hash` (see #15649)
- Only track spans for local manifests, allowing us to skip the
`make_owned` call for most packages
### How to test and review this PR?
This PR marks several tests within cache_lock.rs as unsupported on the
AIX platform. The tests relies on flock() behaviour that is not
supported on AIX.
### What does this PR try to resolve?
A user will now be able to use flags like `--workspace` with `cargo
publish`.
`cargo package` will now also work with those flags without having to
pass `--no-verify --exclude-lockfile`.
Many release tools have come out that solve this problem. They will
still need a lot of the logic that went into that for other parts of the
release process.
However, a cargo-native solution allows for:
- Verification during dry-run
- Better strategies for waiting for the publish timeout
`cargo publish` is non-atomic at this time.
If there is a server side error, network error, or rate limit during the
publish, the workspace will be left in a partially published state.
Verification is done before any publishing so that won't affect things.
There are multiple strategies we can employ for improving this over
time, including
- atomic publish
- `--idempotent` (#13397)
- leave this to release tools to manage
This includes support for `--dry-run` verification. As release tools
didn't have a way to do this before, users may be surprised at how slow
this is because a `cargo build` is done instead of a `cargo check`. This
is being tracked in #14941.
This adds to `cargo package` the `--registry` and `--index` flags to
help with resolving dependencies when depending on a package being
packaged at that moment.
These flags are only needed when a `cargo package --workspace` operation
would have failed before due to inability to find a locally created
dependency.
Regarding the publish timeout, `cargo publish --workspace` publishes
packages in batches and we only timeout if nothing in the batch has
finished being published within the timeout, deferring the rest to the
next wait-for-publish. So for example, if you have packages `a`, `b`,
`c` then we'll wait up to 60 seconds and if only `a` and `b` were ready
in that time, we'll then wait another 60 seconds for `c`.
During testing, users ran into issues with `.crate` checksums:
- ~~#15647~~ Fixed for `cargo publish --dry-run` in #15711
- But `cargo package` still has the problem
- #14396 (not been able to reproduce)
- #15622 (reproducible with consecutive `cargo publish` calls)
Fixes#1169Fixes#10948
### How to test and review this PR?
By stabilizing this, Cargo's behavior becomes dependent on an overlay
registry.
When generating a lockfile or verifying a package, we overlay the
locally generated `.crate` files on top of the registry so the registry
appears as it would and everything works.
If there is a conflict with a version, the local version wins which is
important for the dry-run mode of release tools as they won't have
bumped the version yet.
Our concern for the overlay registry is dependency confusion attacks.
Considering this is not accessible for general user operations, this
should be fine.
### What does this PR try to resolve?
cargo-auditable 0.7.0 will use the unstable Cargo SBOM precursor files
if a user configures Cargo to generate the SBOM files. cargo-auditable
assumes that the package ID specifiers in Cargo SBOM files are fully
qualified.
We'd like to enforce this assumption in Cargo so we can keep our package
ID spec parsing simpler by not considering non-fully qualified package
ID specs. This PR updates the cargo docs to state where fully qualified
package ID specs are used, and also adds SBOMs to the existing `cargo
pkgid` test that is currently enforcing consistency between the various
usages of fully qualified package id specs.
Previously raised at [#t-cargo > sbom missing name, version, source @
💬](https://rust-lang.zulipchat.com/#narrow/channel/246057-t-cargo/topic/sbom.20missing.20name.2C.20version.2C.20source/near/525443447)
### How to test and review this PR?
Change doesn't affect current behaviour.
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
|
[cargo-semver-checks](https://redirect.github.com/obi1kenobi/cargo-semver-checks)
| minor | `0.41.0` -> `0.42.0` |
---
### Release Notes
<details>
<summary>obi1kenobi/cargo-semver-checks (cargo-semver-checks)</summary>
###
[`v0.42.0`](https://redirect.github.com/obi1kenobi/cargo-semver-checks/compare/v0.41.0...v0.42.0)
[Compare
Source](https://redirect.github.com/obi1kenobi/cargo-semver-checks/compare/v0.41.0...v0.42.0)
</details>
---
### Configuration
📅 **Schedule**: Branch creation - Every minute ( * * * * * ) (UTC),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/rust-lang/cargo).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNy4yIiwidXBkYXRlZEluVmVyIjoiNDEuMTcuMiIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6W119-->
### What does this PR try to resolve?
This is prep for updating `toml` which will change some of these error
messages
### How to test and review this PR?
### What does this PR try to resolve?
Implements another part of feature unification (#14774,
[rfc](1c590ce05d/text/3692-feature-unification.md)).
The `workspace` option was implemented in #15157, this adds the
`package` option.
### How to test and review this PR?
The important change is changing `WorkspaceResolve` so it can contain
multiple `ResolvedFeature`s. Along with that, it also needs to know
which specs those features are resolved for. This was used in several
other places:
- `cargo fix --edition` (from 2018 to 2021) - I think it should be ok to
disallow using `cargo fix --edition` when someone already uses this
feature.
- building std - it should be safe to assume std is not using this
feature so I just unwrap there. I'm not sure if some attempt to later
feature unification would be better.
- `cargo tree` - I just use the first feature set. This is definitely
not ideal, but I'm not entirely sure what's the correct solution here.
Printing multiple trees? Disallowing this, forcing users to select only
one package?
Based on comments in #15157 I've added tests first with `selected`
feature unification and then changed that after implementation. I'm not
sure if that's how you expect the tests to be added first, if not, I can
change the history.
I've expanded the test checking that this is ignored for `cargo install`
although it should work the same way even if it is not ignored
(`selected` and `package` are the same thing when just one package is
selected).
