Updates

crates.io adds built-in source browsing for published Rust crates

crates.io’s new Code tab lets Rust users inspect published source before cloning. The same update adds usernames, security signals, and pubtime metadata.

Sam Ortega··2 min read
Published
Listen to this article0:00 min
crates.io adds built-in source browsing for published Rust crates
Photo illustration

Does this make choosing dependencies faster and safer? The crates.io team’s July 13 update said yes, at least for the first half of that promise, with a built-in Code tab that lets visitors browse the exact source files cargo downloads for published crates. Until now, crates.io mostly gave you package metadata and a pointer back to the upstream repository. Now the registry itself has become the first stop for source review.

The change is more than a cosmetic viewer bolted onto a package page. crates.io is generating ZIPs and JSON manifests for published versions, then serving them through CDN delivery and HTTP range requests so the browser can fetch only the files it needs. That makes source exploration part of the registry’s plumbing, not a separate audit workflow. It also fits the way crates.io already operates as Rust’s official package registry, with infrastructure support from Amazon Web Services and Fastly.

AI-generated illustration
AI-generated illustration

The same update pointed to a broader shift in how identity works on the site. Under RFC 3946, crates.io is decoupling user accounts from GitHub and moving toward crates.io-native usernames. The main tracking issue, opened by carols10cents on May 26, broke that work into 15 sub-issues, including a dedicated users.username column, reserved usernames, owner lookup and API changes, signup-flow changes, and avatar selection work. The plan also stops usernames from changing when GitHub accounts are renamed or deleted, which clears the path for additional sign-in providers later.

Security and package sizing got more surface area too. crates.io pages now show RustSec advisories, warnings when crates have been superseded by standard-library replacements, and source-lines-of-code metrics. RustSec itself is the curated advisory database for known vulnerabilities, unsound code, and maintenance status across crates. The January 21, 2026 update said the Security tab was funded by OpenSSF and implemented by Dirkjan Ochtman. The registry also added a pubtime field to its index so tools can read when each version was published without extra API calls, with the behavior guarded by an INDEX_INCLUDE_PUBTIME feature flag and verified in snapshot tests that show RFC 3339 timestamps such as 2020-01-01T00:00:00Z and 2020-02-01T00:00:00Z.

That kind of registry-side work matters because crates.io has already shown how small plumbing mistakes can ripple outward. On July 20, 2023, a missing slash in a generated CDN URL broke all crate downloads for about 13 minutes and caused about 3.7 million failed requests. The new source browser, the username groundwork, and the added audit signals all push crates.io toward the same job: letting Rust developers inspect quality, maintenance, and API shape before they ever clone a repo.

This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.

Did this article answer your question?

Discussion

More Rust Programming News