{"id":18894169,"url":"https://github.com/trailofbits/cargo-unmaintained","last_synced_at":"2025-04-10T10:14:30.804Z","repository":{"id":206577019,"uuid":"717233094","full_name":"trailofbits/cargo-unmaintained","owner":"trailofbits","description":"Find unmaintained packages in Rust projects","archived":false,"fork":false,"pushed_at":"2024-05-23T06:08:10.000Z","size":1126,"stargazers_count":45,"open_issues_count":3,"forks_count":2,"subscribers_count":11,"default_branch":"master","last_synced_at":"2024-05-23T06:28:00.771Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://crates.io/crates/cargo-unmaintained","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trailofbits.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-11-10T21:47:28.000Z","updated_at":"2024-06-10T13:35:16.480Z","dependencies_parsed_at":"2023-11-14T22:24:20.380Z","dependency_job_id":"e8d94b25-69ee-4c8d-8adb-548825ec8887","html_url":"https://github.com/trailofbits/cargo-unmaintained","commit_stats":null,"previous_names":["trailofbits/cargo-unmaintained"],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Fcargo-unmaintained","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Fcargo-unmaintained/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Fcargo-unmaintained/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Fcargo-unmaintained/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trailofbits","download_url":"https://codeload.github.com/trailofbits/cargo-unmaintained/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248198891,"owners_count":21063628,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T08:19:06.989Z","updated_at":"2025-04-10T10:14:30.796Z","avatar_url":"https://github.com/trailofbits.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cargo-unmaintained\n\n**Find unmaintained packages in Rust projects**\n\n`cargo-unmaintained` is similar to [`cargo-audit`]. However, `cargo-unmaintained` finds unmaintained packages automatically using heuristics, rather than rely on users to manually submit them to the [RustSec Advisory Database].\n\n`cargo-unmaintained` defines an unmaintained package X as one that satisfies one of 1 through 3 below:\n\n1. X's repository is archived (see [Notes] below).\n\n2. X is not a member of its named repository.\n\n3. Both a and b below.\n\n   a. X depends on a package Y whose latest version:\n\n   - is incompatible with the version that X depends on\n   - was released over a year ago (a configurable value)\n\n   b. Either X has no associated repository, or its repository's last commit was over a year ago (a configurable value).\n\nAs of 2025-03-13, the RustSec Advisory Database contains 136 active advisories for unmaintained packages. Using the above conditions, `cargo-unmaintained` automatically identifies 101 (74%) of them. These results can be reproduced by running the [`rustsec_advisories`] example within this repository.\n\n### Notes\n\n- To check whether packages' repositories have been archived, set the `GITHUB_TOKEN_PATH` environment variable to the path of a file containing a [personal access token]. If unset, this check will be skipped.\n\n- The above conditions consider a \"leaf\" package (i.e., a package with no dependencies) unmaintained only if conditions 1 or 2 apply.\n\n- The purpose of the \"over a year ago\" qualifications in condition 3 is to give package maintainers a chance to update their packages. That is, an incompatible upgrade to one of X's dependencies could require time-consuming changes to X. Without this check, `cargo-unmaintained` would produce many false positives.\n\n- Of the 35 packages in the RustSec Advisory Database _not_ identified by `cargo-unmaintained`:\n  - 11 do not build\n  - 3 are existent, unarchived leaves\n  - 2 were updated within the past 365 days\n  - 19 were not identified for other reasons\n\n## Output\n\n`cargo-unmaintained`'s output includes the number of days since a package's repository was last updated, along with the dependencies that cause the package to be considered unmaintained.\n\nFor example, the following is the output produced by running `cargo-unmaintained` on [Cargo 0.74.0] on 2023-11-11:\n\n\u003c!--\n`Scanning 357 packages and their dependencies (pass --verbose for more information)`\n--\u003e\n\n\u003cimg src=\"etc/output.png\" width=725\u003e\n\n## Installation\n\n```sh\ncargo install cargo-unmaintained\n```\n\n## Usage\n\n```\nUsage: cargo unmaintained [OPTIONS]\n\nOptions:\n      --color \u003cWHEN\u003e    When to use color: always, auto, or never [default: auto]\n      --fail-fast       Exit as soon as an unmaintained package is found\n      --json            Output JSON (experimental)\n      --max-age \u003cDAYS\u003e  Age in days that a repository's last commit must not exceed for the\n                        repository to be considered current; 0 effectively disables this check,\n                        though ages are still reported [default: 365]\n      --no-cache        Do not cache data on disk for future runs\n      --no-exit-code    Do not set exit status when unmaintained packages are found\n      --no-warnings     Do not show warnings\n  -p, --package \u003cNAME\u003e  Check only whether package NAME is unmaintained\n      --purge           Remove all cached data from disk and exit\n      --save-token      Read a personal access token from standard input and save it to\n                        $HOME/.config/cargo-unmaintained/token.txt\n      --tree            Show paths to unmaintained packages\n      --verbose         Show information about what cargo-unmaintained is doing\n  -h, --help            Print help\n  -V, --version         Print version\n\nThe `GITHUB_TOKEN_PATH` environment variable can be set to the path of a file containing a personal\naccess token. If set, cargo-unmaintained will use this token to authenticate to GitHub and check\nwhether packages' repositories have been archived.\n\nAlternatively, the `GITHUB_TOKEN` environment variable can be set to a personal access token.\nHowever, use of `GITHUB_TOKEN_PATH` is recommended as it is less likely to leak the token.\n\nIf neither `GITHUB_TOKEN_PATH` nor `GITHUB_TOKEN` is set, but a file exists at\n$HOME/.config/cargo-unmaintained/token.txt, cargo-unmaintained will use that file's contents as a\npersonal access token.\n\nUnless --no-exit-code is passed, the exit status is 0 if no unmaintained packages were found and no\nirrecoverable errors occurred, 1 if unmaintained packages were found, and 2 if an irrecoverable\nerror occurred.\n```\n\n## Ignoring packages\n\nIf a workspace's `Cargo.toml` file includes a `workspace.metadata.unmaintained.ignore` array, all packages named therein will be ignored. Example:\n\n```toml\n[workspace.metadata.unmaintained]\nignore = [\"matchers\"]\n```\n\n## Testing\n\nRunning just `cargo test` will not run the \"continuous integration\" or \"externally influenced\" tests. To run those additional tests, add `--workspace`, i.e.:\n\n```sh\ncargo test --workspace\n```\n\n## Known problems\n\n- If a package is renamed from X to Y, it is immediately considered unmaintained because the package's repository no longer contains a package named X. ([#441])\n\n- If a project relies on an old version of a package, `cargo-unmaintained` may fail to flag the package as unmaintained (i.e., may produce a false negative). The following is a sketch of how this can occur.\n\n  - The project relies on version 1 of package X, which has no dependencies.\n  - Version 2 of package X exists, and adds version 1 of package Y as a dependency.\n  - Version 2 of package Y exists.\n\n  Note that version 1 of package X appears maintained, but version 2 does not. Ignoring a few details, version 2 satisfies condition 3 above.\n\n  `cargo-unmaintained` does not, in all cases, check whether the latest version of a package is used, as doing so would be cost prohibitive. A downside of this choice is that false negatives can result.\n\n  Note that false _positives_ should not arise in a corresponding way. Before flagging a package as unmaintained, `cargo-unmaintained` verifies that the package's latest version would be considered unmaintained as well.\n\n## Questions\n\n- Yesterday, I got a warning about an unmaintained package. But, today, I don't. Why is that?\n\n  Possibly, an intermediate dependency was updated. Suppose package X depends on Y, which depends on Z. And suppose Z is considered unmaintained. Then Z will generated warnings for both X and Y. If Y is updated to no longer depend upon Z, and X uses the new version of Y, then X will no longer receive warnings about Z.\n\n## Anti-goals\n\n`cargo-unmaintained` is not meant to be a replacement for [`cargo-upgrade`]. `cargo-unmaintained` should not warn just because a package needs to be upgraded.\n\n## Semantic versioning policy\n\nWe reserve the right to change the following and to consider such changes non-breaking:\n\n- what data is stored in the cache, as well as how that data is stored\n- the output produced the experimental `--json` option\n\n## License\n\n`cargo-unmaintained` is licensed and distributed under the AGPLv3 license. [Contact us](mailto:opensource@trailofbits.com) if you're looking for an exception to the terms.\n\n[#441]: https://github.com/trailofbits/cargo-unmaintained/issues/441\n[Cargo 0.74.0]: https://github.com/rust-lang/cargo/tree/d252bce6553c8cc521840c9dd6b9f6cd4aedd8b0\n[Notes]: #notes\n[RustSec Advisory Database]: https://github.com/RustSec/advisory-db/\n[`cargo-audit`]: https://github.com/RustSec/rustsec/tree/main/cargo-audit\n[`cargo-upgrade`]: https://github.com/killercup/cargo-edit?tab=readme-ov-file#cargo-upgrade\n[`rustsec_advisories`]: ./examples/rustsec_advisories.rs\n[personal access token]: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrailofbits%2Fcargo-unmaintained","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrailofbits%2Fcargo-unmaintained","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrailofbits%2Fcargo-unmaintained/lists"}