In the Rust ecosystem, you only publish lock files for binary crates. So yeah th... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		Liskni_si 14 days ago \| parent \| context \| favorite \| on: Shai-Hulud malware attack: Tinycolor and over 40 N... In the Rust ecosystem, you only publish lock files for binary crates. So yeah then you get churn like https://github.com/cargo-bins/cargo-binstall/releases/tag/v1... bumping transitive deps, but this churn/noise doesn't exist for library crates - because the lock file isn't published for them.

the8472 14 days ago [–]

lib crates have been checking in their Cargo.lock for a while now.

https://github.com/rust-lang/cargo/pull/12382

Liskni_si 14 days ago | [–]

That Cargo.lock will only be used for the library's own CI though (and also for development if you git clone it). It will not be used by downstream dependencies at all.

Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact