Rust 1.96.0 adds stable Copy-friendly range types and tooling updates

Rust 1.96.0 landed with a clear message: the standard library is getting a cleaner range story, and Cargo users on third-party registries need to pay attention now. The Rust Release Team shipped the release on May 28, 2026, after pre-release testing went out on May 26, and it followed Rust 1.95.0, which arrived on April 16.

The headline change is the new stable range API in std::range. Rust 1.96.0 exposes replacement types such as Range, RangeFrom, and RangeInclusive that are meant to be Copy-friendly and to work through IntoIterator rather than Iterator. The docs say these types are intended to replace the legacy Range, RangeInclusive, RangeToInclusive, and RangeFrom types in a future edition, giving library authors a migration path instead of a sudden break. For crates that currently fight the borrow checker every time they want to tuck a range inside another Copy type, that is the kind of cleanup that can ripple through public APIs fast.

Rust 1.96.0 also stabilized assert_matches! and debug_assert_matches!, two additions that make pattern checks less clumsy and failures easier to diagnose. assert_matches! panics with the debug representation of the value on failure, while debug_assert_matches! stays out of optimized release builds unless debug assertions are enabled. That makes the pair useful both in tests and in development-time guard rails where a full runtime check would be too expensive to leave on in production.

Cargo got two notable behavior changes as well. A dependency can now specify both a git repository and an alternate registry, using the git repository locally and the registry version when the crate is published. Cargo 1.96.0 also adds target.'cfg(..)'.rustdocflags support in configuration, giving maintainers another way to tune documentation builds without awkward workarounds.

The security fixes are the part maintainers should treat as urgent. The Rust Security Response Team said CVE-2026-5222 involved Cargo URL normalization for sparse third-party registries, creating a low-severity credential exposure risk in a niche multi-registry setup. CVE-2026-5223 involved symlink handling in crate tarballs from third-party registries, where a malicious crate could override the source code of another crate from the same registry. crates.io users are not affected by either issue, but anyone pulling from third-party registries should verify their setup and update their toolchain.

For maintainers, the checks are straightforward: test code that exposes ranges in public APIs, confirm any mixed git-and-registry dependency declarations behave the way you expect, and rebuild docs where rustdoc output matters. Rust 1.96.0 is not just a point release with polish; it is a release that tightens Cargo, smooths the standard library, and nudges the ecosystem toward a cleaner range model all at once.