Cargofox logo: a fox chewing on a curly brace.

Cargofox

Digging through crates, looking for mice.

About

What?

Basically, this is a site that attempts to dig deeper into crates.io, the package management ecosystem for the Rust programming language. The goal is to try to give useful meta-information about libraries, ranging from basic code statistics to subjective quality metrics. The inspiration comes from various high-profile attacks on similar public package repositories; Rust's respository is just as vulnerable as any other language's, and as open-source software becomes more complicated and more wide-spread, these sorts of attacks are only going to become easier to do and the rewards for succeeding at them will be higher. The ultimate goal of this site is to make it easier to find those sorts of attacks, notice them when they happen, and discover which libraries are at risk vs. which ones have been well-audited and well-verified. This is a HUGE task to do by hand, so why not automate it?

Why?

The priority of crates.io is to distribute crates with minimum fuss, never fail, and provide additional information like statistics when feasible. Its priority is not to judge/rate crates, provide community features like feedback or reviews, get in an arms race with abusers, or take sides in community schisms. The priority of this site is to collect, analyze and provide useful information. This includes (defensible, data-backed, but still subjective) opinions or summaries, so that crates.io doesn't have to.

And 'cause data mining is fun.

Is this trustworthy?

That's up to you.

More specifically, hopefully all the raw data presented here is correct. Part of the goal is to let you dig as deep down the rabbit-hole of trust as you want to, and follow the chain of conclusions all the way to the source. This is time-consuming to do by hand, so this tries to make it easier. There is analysis done on crates that tries to produce a helpful opinion that lets you make a useful judgement call, and this should be presented in a way that makes it clear what is fact and what is inference.

That said, the First Law Of Computing still stands: Garbage in, garbage out. There's a million tiny flaws in the raw data that goes into this, and fixing them is Hard. Nothing is going to be perfect, so let the reader beware.

Is this open-source?

Yes! Find the source code here: https://hg.sr.ht/~icefox/cargofox

How up to date is it?

The goal is to have all analyses run once per day. Given the number of crates and the amount of computing power available this may or may not be practical. Each page has a datestamp on it though, so you know at least how up to date it MIGHT be.

Crawlers and bots

This site downloads the crates.io index,, all actual crate files, and hits some of the crates.io API endpoints as well. It attempts to comply with the crates.io crawler policy, rate-limit itself, and in general be a good citizen. All HTTP requests from this site's crawlers should use the user-agent string "cargofox (https://cargofox.io/about.html)". If this site's bots appear to be causing problems, please open an issue on the issue tracker.

Do you store any user data?

Nothing beyond basic webserver logs. No data is sold to any third party. This site has never been asked to divulge data by any government or law enforcement.