I read a proposal somewhere that cargo could warn when a build involves a yanked crate. That sounds quite useful, doesn't it? This comment says
I think I have mitigated some of the concern by issuing warnings on yanked dependencies.
but I am not sure if that applies only to
install or also to
build. Does anyone know more here?
Looks like it is for
install only: https://github.com/rust-lang/cargo/commit/5f616eb18e979650beb50bfb955dc4213137a234
Linting for yanked crates seems like something RustSec could do, especially if it looked at the local copy of the crates.io index...
really good idea!