Cargo debate pits crate yanking against name re-registration risks

A crate that vanishes from crates.io should not come back under the same name, the latest Rust Internals debate argued, because re-registration can turn an old identity into a fresh supply-chain trap. The thread, posted on April 15, 2026, framed the issue in blunt security terms: yanking leaves an audit trail, but deletion can create confusion for downstream users and open the door to malicious lookalikes.

Cargo’s own documentation draws the line clearly. `cargo yank` removes a published version from the server index, but it does not delete the crate’s data, and the package remains downloadable through the registry’s download link. That design gives maintainers a way to stop normal resolution without erasing history, which is exactly why several participants treated yanking as the safer default for abandoned or compromised names.

The discussion then moved into mechanics. One proposal called for a generation-counter system, so each reuse of a crate name would be tracked as a distinct registry generation, with Cargo.lock files tied to the exact generation they were built against. Another suggestion would let crates.io owners block semver-compatible republishing, cutting off a path where a malicious patch release could be accepted automatically by caret-version users who assume a familiar name still means a familiar project.

The stakes are not theoretical. Rust’s security advisory database has logged multiple malicious- or vulnerability-related crate incidents in early April 2026, and the Rust blog changed its handling of malware reports in February 2026, saying it would stop publishing a separate blog post for every malicious-crate report and would always publish a RustSec advisory when malware is found. In a world where users lean on Cargo to reproduce builds and trust lockfiles, that kind of continuity matters.

The tension over name reuse also sits on top of newer crates.io policy work. The crates.io policy update RFC, accepted on November 7, 2023, was driven in part by name squatting and spam. Then, in February 2025, the Rust blog said crates.io had added a delete feature, including a delete button and API endpoint. RFC 3660 warned that deletion would make the registry less immutable and could confuse downstream projects that depend on deleted crates.

That is why the current argument lands so hard in Rust circles. Yanking preserves the paper trail, deletion can erase it, and a recycled name can make a compromised package look like the old one to anyone depending on Cargo’s normal resolution rules.