Rust 1.96.0 adds Cargo dependency routing for git and registries

Rust 1.96.0 lands with the kind of Cargo change maintainers have been working around for years: one dependency can now point at both a git repository and an alternate registry, letting Cargo use the git source locally and the registry version when publishing. That is a real quality-of-life improvement for crates that live in one place during development but need a cleaner distribution story when they ship.

The release, which arrived on May 28, 2026, also adds target.'cfg(..)'.rustdocflags support in configuration, giving Rust teams more control over documentation builds in conditional target setups. The draft notes in rust-lang/rust issue 156512 had already been tracking that manifest change, along with rustdoc deprecation-note rendering before the release hit stable.

Rust 1.96.0 is not just a Cargo story, though. It stabilizes expr metavariables in cfg, several range APIs, assert_matches! and debug_assert_matches!, and From<T> impls for AssertUnwindSafe, LazyCell, and LazyLock. It also stabilizes iterating over ranges of NonZero integers, fixes a ManuallyDrop-as-pattern regression introduced in Rust 1.94.0, and folds in inline assembly support for s390x vector registers plus a more predictable take on never types in tuple expressions. On the library side, the release broadens range support and includes an SGX-related delayed host lookup fix.

The security angle is just as important. Cargo had two advisories disclosed on May 25, and both were fixed in 1.96.0. One involved symlinks inside crate tarballs from third-party registries, where a malicious crate could override another crate’s source code from the same registry. The other involved incorrect normalization of third-party registry URLs, which could send a Cargo token to a malicious registry in certain mixed-registry setups. The Cargo team merged fixes immediately before release to reject unpacking symlinks and unexpected tarball entries, and to stop stripping a .git suffix unless the URL actually used the git protocol.

That combination makes 1.96.0 more consequential than a routine stable bump. Cargo already treats crates.io as the default registry, with alternate registries supplying their own index and web API for publishing. This release makes that model more flexible for day-to-day work and raises the security floor at the same time, which is exactly the kind of upgrade Rust teams should not sit on.