cargo-vendor

Vendor dependencies and configure cargo to use the vendored sources in the current project

$ cargo vendor [path/to/directory] > .cargo/config.toml

cargo vendor [OPTIONS]

--help, -h
    Prints help information

--version, -V
    Prints version information

--manifest-path <PATH>
    Path to Cargo.toml [default: Cargo.toml]

--format-version <FORMAT_VERSION>
    Version of vendor directory format (currently only 1)

--respect-source-config
    Respect source replacements in Cargo.lock and .cargo/config

--sync <SYNC>...
    Crates to sync (e.g., crates-io/my-crate)

--versioned
    Vendor crates in versioned directories instead of registry groups

-v
    Verbose output (-vv for more)

-q
    No output printed to stdout

--color <WHEN>
    Configure coloring of output: auto, always, never

--jobs, -j <N>
    Number of parallel jobs (default: number of CPUs)

The cargo vendor command is a subcommand of Cargo, Rust's package manager, designed to download and cache all dependencies listed in your project's Cargo.lock file into a local vendor/ directory. This enables offline builds, making it ideal for environments without internet access, such as air-gapped systems, CI/CD pipelines with restricted networks, or reproducible builds.

It primarily targets crates from crates.io but supports other registries via configuration. After running, it automatically updates or creates a .cargo/config.toml file with a source replacement directive (e.g., source.crates-io.replace-with = "vendor"), instructing Cargo to use the local vendor directory instead of remote registries during builds.

Key benefits include faster dependency resolution, reduced network dependency, and verifiable builds since all sources are local. However, the vendor directory can grow large (hundreds of MB to GBs for complex projects). It's commonly used with cargo build or cargo test afterward. Sync options allow updating specific crates without re-vendoring everything.

Vendor directory can be very large; only vendoring crates.io by default (use config for others); requires Cargo.lock; does not handle git dependencies automatically.

cargo vendor
cargo build (uses vendor automatically)

[source.crates-io] replace-with = "vendor" [source.vendor] directory = "vendor"

Introduced in Cargo 1.37.0 (July 2019) to support reproducible offline builds. Evolved with format version 1; enhanced sync and respect-source-config in later releases (e.g., 1.50+). Widely used in embedded, security-sensitive, and enterprise Rust workflows.

cargo(1), cargo-build(1), cargo-generate-lockfile(1)