Skip to content

fix(vendor): add $comment to .cargo-checksum.json#16967

Merged
Muscraft merged 1 commit intorust-lang:masterfrom
weihanglo:vendor-comment
May 6, 2026
Merged

fix(vendor): add $comment to .cargo-checksum.json#16967
Muscraft merged 1 commit intorust-lang:masterfrom
weihanglo:vendor-comment

Conversation

@weihanglo
Copy link
Copy Markdown
Member

@weihanglo weihanglo commented May 6, 2026

What does this PR try to resolve?

Clarify it only protects against accidental modifications and is not a security mechanism.

Cargo doesn't set deny_unknown_fields on the Checksum struct, so older Cargo versions will just silently skip the $comment key. No backward compat issue.
However, if external tools reject unknown fields they may have issues.

Also, this add source diff churn when running cargo vendor between different toolchain versions even when dependencies have no changes.

How to test and review this PR?

cc #16966

And see #t-cargo > adding a comment on `.cargo-checksum.json`

@weihanglo
fix(vendor): add $comment to .cargo-checksum.json
36e7a24 
Clarify it only protects against accidental modifications
and is not a security mechanism.

Cargo doesn't set `deny_unknown_fields` on the `Checksum` struct,
so older Cargo versions will just silently skip the `$comment` key.
No backward compat issue.
However, if external tools reject unknown fields they may have issues.

Also, this add source diff churn when running `cargo vendor` between
different toolchain versions even when dependencies have no changes.
@rustbot rustbot added Command-vendor S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels May 6, 2026
@rustbot
Copy link
Copy Markdown
Collaborator

rustbot commented May 6, 2026

r? @ehuss

rustbot has assigned @ehuss.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

Why was this reviewer chosen?

The reviewer was selected based on:

  • Owners of files modified in this PR: @ehuss, @epage, @weihanglo
  • @ehuss, @epage, @weihanglo expanded to ehuss, epage, weihanglo
  • Random selection from ehuss, epage

Muscraft
Muscraft approved these changes May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Muscraft Muscraft left a comment
edited by rustbot
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for doing this!

Since this was a request from wg-security-response, I think it would be best to wait for their review before merging to make sure they are happy with the wording and feel it will be helpful in reducing the false-positive report volume.

View changes since this review

emilyalbini
emilyalbini approved these changes May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@emilyalbini emilyalbini left a comment
edited by rustbot
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing, thank you!

View changes since this review

@Muscraft Muscraft added this pull request to the merge queue May 6, 2026
Merged via the queue into rust-lang:master with commit 10262b6 May 6, 2026
29 checks passed
@rustbot rustbot removed the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label May 6, 2026
@weihanglo weihanglo deleted the vendor-comment branch May 6, 2026 18:37
@weihanglo weihanglo mentioned this pull request May 9, 2026
Merged
rust-bors Bot pushed a commit to rust-lang/rust that referenced this pull request May 9, 2026
@bors
Auto merge of #156351 - weihanglo:update-cargo, r=weihanglo
0490dd9 
Update cargo submodule

13 commits in 4f9b52075316e9ced380c8fa492858048d5758b6..a343accce8526b128adc517d33348573d22920a3
2026-05-01 22:36:41 +0000 to 2026-05-08 22:41:35 +0000
- docs(guide): Fix a typo (rust-lang/cargo#16980)
- chore(deps): update msrv (3 versions) to v1.93 (rust-lang/cargo#16979)
- refactor(diag): Move lints to diagnostics (rust-lang/cargo#16978)
- refactor(lints): Pull out `unknown_lints` lint logic and `missing_lints_features` diagnostic logic (rust-lang/cargo#16976)
- refactor(lints): Move things out of `lints/mod.rs` (rust-lang/cargo#16975)
- test: cover search API redirects (rust-lang/cargo#16971)
- refactor(lints): Instrument lints for logging  (rust-lang/cargo#16972)
- docs: `.cargo-checksum.json` is not a security mechanism (rust-lang/cargo#16966)
- fix(vendor): add `$comment` to `.cargo-checksum.json` (rust-lang/cargo#16967)
- test: Fixed arg order in rustdoc json test (rust-lang/cargo#16968)
- fix(config): `[env]` relative paths definition  (rust-lang/cargo#16957)
- fix(config): normalize included config paths  (rust-lang/cargo#16964)
- Fix heading level of `build.warnings` documentation. (rust-lang/cargo#16961)

r? ghost
@rustbot rustbot added this to the 1.97.0 milestone May 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@emilyalbini emilyalbini emilyalbini approved these changes

@Muscraft Muscraft Muscraft approved these changes

Assignees

@ehuss ehuss

Labels

Command-vendor

Projects

None yet

Milestone

1.97.0

Development

Successfully merging this pull request may close these issues.

5 participants

@weihanglo @rustbot @emilyalbini @Muscraft @ehuss