Cargofox

Digging through crates, looking for mice.

About

What?

Basically, this is a site that attempts to dig deeper into crates.io, the package management ecosystem for the Rust programming language. The goal is to try to give useful meta-information about libraries, ranging from basic code statistics to subjective quality metrics. The inspiration comes from various high-profile attacks on similar public package repositories; Rust's respository is just as vulnerable as any other language's, and as open-source software becomes more complicated and more wide-spread, these sorts of attacks are only going to become easier to do and the rewards for succeeding at them will be higher. The ultimate goal of this site is to make it easier to find those sorts of attacks, notice them when they happen, and discover which libraries are at risk vs. which ones have been well-audited and well-verified. This is a HUGE task to do by hand, so why not automate it?

Why?

The priority of crates.io is to distribute crates with minimum fuss, never fail, and provide additional information like statistics when feasible. Its priority is not to judge/rate crates, provide community features like feedback or reviews, get in an arms race with abusers, or take sides in community schisms. The priority of this site is to collect, analyze and provide useful information. This includes (defensible, data-backed, but still subjective) opinions or summaries, so that crates.io doesn't have to.

And 'cause data mining is fun.

Is this trustworthy?

That's up to you.

More specifically, hopefully all the raw data presented here is correct. Part of the goal is to let you dig as deep down the rabbit-hole of trust as you want to, and follow the chain of conclusions all the way to the source. This is time-consuming to do by hand, so this tries to make it easier. There is analysis done on crates that tries to produce a helpful opinion that lets you make a useful judgement call, and this should be presented in a way that makes it clear what is fact and what is inference.

That said, the First Law Of Computing still stands: Garbage in, garbage out. There's a million tiny flaws in the raw data and fixing them is Hard. Nothing is going to be perfect, so let the reader beware.

Is this open-source?

Not yet. Will it be? I don't know yet. On the one hand, open source is awesome, and on the other hand, it would be nice if this became an endeavour I could do full-time without needing to have a job to support it. How do places like NPM do it? idk. Need to learn more about that. There's a an item on the issue tracker for it, so suggestions are welcome.

Pro's:

Cons:

That said, this site is only possible because of open-source software, and I'm a firm believer in giving back to the community. Any improvements or bug-fixes to the open-source software this site uses are upstreamed back to those projects. I have no intention of making this some sort of tiered subscription service; all the analytics on the site will remain available for anyone to use. I'll probably also provide raw data dumps at some point. The purpose of this project is to provide useful information, for everyone, to make the world a better place, and I hope to do whatever helps that purpose the most.

How up to date is it?

The goal is to have all analyses run once per day. Given the number of crates and the amount of computing power available this may or may not be practical. Each page has a datestamp on it though, so you know how up to date it is.

Crawlers and bots

This site downloads the crates.io index,, all actual crate files, and hits some of the crates.io API endpoints as well. It attempts to comply with the crates.io crawler policy, rate-limit itself, and in general be a good citizen. All HTTP requests from this site's crawlers should use the user-agent string "cargofox (https://cargofox.io/about.html)". If this site's bots appear to be causing problems, please open an issue on the issue tracker.

Do you store any user data?

Nothing beyond basic webserver logs. No data is sold to any third party. This site has never been asked to divulge data by any government.