Rust package registry adds security tools and metrics to crates.io
The Rust project updated crates.io to include a Security tab on individual crate pages. The tab shows security advisories drawn from the RustSec database and lists which versions of a crate may have known issues. This change gives developers a way to view advisory information before selecting a crate as a dependency.
The tab shows known vulnerabilities for the crate along with the affected version ranges. (Source: crates.io team)
Changes to publishing workflows
The crates.io team expanded Trusted Publishing support that was introduced in 2025. Trusted Publishing now works with GitLab CI/CD in addition to GitHub Actions. This allows developers using GitLab.com to publish crates using an OIDC authentication flow that does not require managing long-lived API tokens.
“Note that this currently only works with GitLab.com. Self-hosted GitLab instances are not supported yet. The crates.io implementation has been refactored to support multiple CI providers, so adding support for other platforms like Codeberg/Forgejo in the future should be straightforward,” Tobias Bieniek, Software Engineer at the Rust Foundation, explained.
Source lines of code and publication time data
Crate pages now display source lines of code metrics. This metric is computed after a crate is published using the tokei crate and is also included in OpenGraph images for crate pages. The crate index now includes a pubtime field that records when each version of a crate was published. This data supports use cases such as implementing cooldown periods for new versions and enabling tools like Renovate to find release dates without additional API requests.
Frontend migration effort
The crates.io team began an experimental migration of the website frontend to the Svelte framework. The current goal is to produce a one-to-one port of the existing functionality. The Svelte frontend uses TypeScript and generates a type-safe API client from the OpenAPI description for crates.io. The team described the effort as work in progress and plans to share more details in future updates.
Miscellaneous updates
Download graphs now filter out requests from bots, scrapers, and mirrors to make statistics more meaningful. Emails sent by crates.io support HTML formatting. OAuth access tokens from GitHub are stored encrypted at rest. Crate pages show a link to browse source code on docs.rs. The sparse index for crates.io is served primarily through the Fastly CDN to reduce usage of AWS credits. The team also fixed emoji and CJK character rendering in OpenGraph images and adjusted background worker performance by optimizing database indexes.