Cargo VS crates.io

Compare Cargo vs crates.io and see what are their differences.

Cargo

The Rust package manager (by rust-lang)

crates.io

Source code for crates.io (by rust-lang)
Our great sponsors
  • SonarLint - Deliver Cleaner and Safer Code - Right in Your IDE of Choice!
  • Scout APM - Less time debugging, more time building
  • SaaSHub - Software Alternatives and Reviews
Cargo crates.io
120 311
8,342 2,152
3.3% 1.6%
9.8 9.9
6 days ago 4 days ago
Rust Rust
GNU General Public License v3.0 or later GNU General Public License v3.0 or later
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.

Cargo

Posts with mentions or reviews of Cargo. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2022-05-19.

crates.io

Posts with mentions or reviews of crates.io. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2022-05-13.
  • When will we learn? - Drew DeVault of Rust's (and other package managers') recent supply chain attack
    2 projects | reddit.com/r/rust | 13 May 2022
    While I don’t agree that system package managers, I really think that having core/community/unreviewed categorization on crates.io would be very useful. Just like architecture have tiers, crates could have tiers. Core crates would be the standard library, and maybe a very few selected package like regex, serde, … Community crates would contains important crates that have active maintainers.
  • Supply Chain Thoughts
    3 projects | reddit.com/r/rust | 11 May 2022
    Sorry, I mean no benefit over the proposal of doing this on the server and outright preventing the publish of a crate with a low edit distance. I also proposed that crates.io maintains an audit log of publishes that includes edit distance, which I think is similar to your suggestion ultimately.
    3 projects | reddit.com/r/rust | 11 May 2022
    There's no support for scopes (yet). Although introducing scopes may indeed help with a lot of crates.io's issues
  • criteria for establishing rust popularity?
    1 project | reddit.com/r/rust | 11 May 2022
    is there an index or something to compare/measure rust popularity with other languages? I want to know how popular rust has become recently and how is its adoption going? whenever i search on google i find "stackoverflow developer survey" come up often, but i would like to see more sources, also is there any source where i can see the evolution of number of crates on crates.io and its comparison with other package managers like pypi or npm etc
  • Security advisory: malicious crate rustdecimal | Rust Blog
    12 projects | reddit.com/r/rust | 10 May 2022
    Can crates.io just calc something like "levenshtein distance" for new crate name against existing popular crates, and if it <=2 reject it with "you name very similar to ...".
    12 projects | reddit.com/r/rust | 10 May 2022
    I do not exspect large enterprises to pull random crates from crates.io. If they work properly, they maintain their own private cargo repository, where they add codebases that are maintained by themself or are mirrored on a crate by crate basis after a thoughtful review.
    12 projects | reddit.com/r/rust | 10 May 2022
    In fact, the crates.io team can go check this themselves, I think? If it's possible to see "which packages did people request that didn't exist" I suspect they'll find an edit distance of 1 character in >90% of cases. But they don't even have to - there's actually already plenty of research and plenty of attacks that we can look at.
  • Hey Rustaceans! Got a question? Ask here! (19/2022)!
    4 projects | reddit.com/r/rust | 10 May 2022
    Does anybody know any interesting details about how crates.io publishing works? And what the best way is to properly vet Rust source code pulled from crates.io?
    4 projects | reddit.com/r/rust | 10 May 2022
    That being said, it would be nice if crates on crates.io would link to the actual source code that was published. At least _alongside_ a link to the git repo.
  • Smuggling malicious code into crates.io ?
    1 project | reddit.com/r/rust | 10 May 2022
    I'm discussing Go vs Rust with my boss. He says Go has a better packaging system than rust, because it's possible to publish different code on crates.io than the repo on github. That way, one can accidentally import malicious code, even if one looks at the source code on github. In Go on the other hand, code is pulled from the repo directly, and a database of go.sum hashes ensures that it's always the exact same code.

What are some alternatives?

When comparing Cargo and crates.io you can also consider the following projects:

RustCMake - An example project showing usage of CMake with Rust

plotters - A rust drawing library for high quality data plotting for both WASM and native, statically and realtimely πŸ¦€ πŸ“ˆπŸš€

gtk4-rs - Rust bindings of GTK 4

Rocket - A web framework for Rust.

Clippy - A bunch of lints to catch common mistakes and improve your Rust code

cargo-outdated - A cargo subcommand for displaying when Rust dependencies are out of date

opencv-rust - Rust bindings for OpenCV 3 & 4

RustScan - πŸ€– The Modern Port Scanner πŸ€–

cargo-check

rust-analyzer - A Rust compiler front-end for IDEs [Moved to: https://github.com/rust-lang/rust-analyzer]

trunk - Build, bundle & ship your Rust WASM application to the web.

windows-rs - Rust for Windows