cargo-aprz 1.0.0 makes Rust dependency hygiene measurable

Rust teams have long judged dependencies by feel, a GitHub page here, a release cadence there, and a vague sense that a crate looks healthy enough. cargo-aprz 1.0.0 changes that routine by turning dependency hygiene into something measurable inside Cargo itself, with one command that can appraise a single crate or the full transitive tree behind a project.

The tool fits neatly into the workflow because Cargo already supports custom subcommands without modification. That means cargo-aprz runs as cargo aprz, not as a separate system bolted on from the outside. Its documentation frames the problem plainly: modern applications lean on many third-party crates, and that brings quality risk, security exposure, and future compatibility concerns along with the convenience. cargo-aprz answers with metrics instead of guesswork, collecting signals such as open issues, release frequency, security advisories, code examples, coverage, documentation, usage, stability, activity, and trustworthiness.

It also pushes beyond reporting. cargo-aprz can generate HTML and JSON reports, and it accepts policy expressions in aprz.toml so teams can set hard gates, including rules that reject a crate if coverage drops below a chosen threshold. The first run pulls a large database from crates.io and the RustSec advisory database, then caches the data for faster follow-up scans. That makes it practical for everyday use, whether the target is a single dependency under review or a whole project’s dependency graph before a release.

The 1.0.0 release also shows the project hardening under the load of real dependency trees. The release notes call out performance and correctness work, including switching cache serialization from JSON to MessagePack, reducing cloning, fixing throttler races, and correcting atomic visibility bugs. Earlier 2026 releases suggest the tool was still tightening its rules as it matured: v0.13.0 added an allow list to bypass the high-risk and medium-risk error checks, and v0.14.0 fixed feature handling while walking transitive dependencies.

That matters because Rust’s dependency conversation is shifting from “does it compile?” to “do I want to bet a product on it?” RustSec describes its database as community security advisories for crates on crates.io, and cargo-aprz brings that security-minded world into the same shell session where maintainers already work. For teams trying to separate healthy building blocks from crates that only look fine on the surface, that kind of repeatable check is a meaningful upgrade from instinct alone.