cargo-report

Display a report of crates which will eventually stop compiling

$ cargo report future-incompatibilities

$ cargo report future-incompatibilities --id [id]

$ cargo report future-incompatibilities [[-p|--package]] [package]

cargo report <SUBCOMMAND> [OPTIONS]

Current primary subcommands include:

cargo report future-incompatibilities [OPTIONS]
cargo report security [OPTIONS]

--package or -p
    Report for specific package(s) only within the workspace.

--workspace
    Report on all packages in the current workspace.

--target
    Report for the specified target triple (e.g., x86_64-unknown-linux-gnu).

--locked
    Don't update `Cargo.lock` if it's out of date, but use existing lockfile.

--frozen
    Don't update `Cargo.lock` and fail if it's out of date or missing.

--offline
    Operate in offline mode, without accessing the network.

--verbose or -v
    Use verbose output, showing more details.

--quiet or -q
    Suppress non-error output, showing only critical information.

--color
    Control output coloring. WHEN can be `auto`, `always`, or `never`.

--format
    (Subcommand specific) Output format for the report (e.g., `human`, `json`, `markdown`).

--json
    (Subcommand specific) Output the report in JSON format (shorthand for `--format json`).

--output
    (Subcommand specific) Write the report to a file at the specified path instead of stdout.

--ignore-source-metadata
    (For future-incompatibilities) Ignore source metadata when checking incompatibilities.

--advisory-path
    (For security) Path to a local security advisory database (e.g., from `rustsec-advisory-db`).

--deny-file
    (For security) Path to a TOML file containing a list of advisories to ignore.

--deny-format
    (For security) Format of the deny file. Currently only `toml` is supported.

--show-license
    (For security) Show license information for identified vulnerabilities (if available).

cargo report is a versatile Cargo subcommand designed to generate various types of reports concerning your Rust projects and their dependencies. It acts as a central hub for reporting functionalities that might otherwise be scattered across different tools or cargo subcommands. Its primary use cases currently revolve around two main areas: identifying future incompatibility lints and scanning for security advisories against known vulnerabilities. This command empowers developers to maintain the health, compatibility, and security of their Rust applications by providing structured, often machine-readable, output. It's particularly useful in CI/CD pipelines for automated checks, helping developers proactively address potential issues before they become critical. By consolidating reporting features, `cargo report` streamlines the process of code quality and security auditing within the Rust ecosystem.

cargo report commands often require specific conditions:

• The Rust toolchain must be installed and accessible on your system.
• cargo report future-incompatibilities typically requires a nightly Rust toolchain to effectively detect future lints, as these are experimental compiler features.
• cargo report security relies on the RustSec advisory database. For accurate and up-to-date results, this database needs to be synchronized, which Cargo usually handles automatically when connected to the internet.
• These commands operate within the context of a Cargo project with a `Cargo.toml` file.

The future-incompatibilities subcommand identifies compiler lints that will become hard errors or warnings in future Rust versions. This is crucial for proactive maintenance and ensuring forward compatibility of Rust codebases. It helps developers address code patterns that might break with future compiler upgrades, often requiring a nightly Rust toolchain to run these experimental checks effectively. The report can be generated in human-readable or JSON formats, making it suitable for both developer inspection and automated parsing.

The security subcommand scans your project's dependencies against the RustSec advisory database for known vulnerabilities. It reports any found advisories, providing details like advisory IDs, affected versions, and severity. This command is vital for maintaining a secure supply chain for your Rust applications and is often integrated into automated security checks in CI/CD pipelines. It supports various output formats, including human-readable, JSON, and Markdown, facilitating integration into diverse reporting systems. Users can also specify local advisory databases or provide deny files to ignore specific advisories.

The `cargo report` subcommand was introduced to provide a standardized and official way to generate various reports within the Cargo ecosystem, consolidating functionalities that might otherwise be external or less organized. The cargo report future-incompatibilities subcommand was one of the first additions, designed to help users prepare for upcoming breaking changes in the Rust language and compiler. More recently, the cargo report security subcommand was added, aiming to integrate robust security vulnerability scanning directly into Cargo, potentially reducing reliance on external tools like `cargo-audit` for core advisory checks. Its development reflects a broader effort to enhance the built-in tooling for code quality and security within the Rust project, making these crucial checks more accessible and integrated.

cargo(1), rustc(1), rustup(1), cargo-audit(1)