Rust
Support for Rust projects using Cargo.toml.
Table of contents
- Supported Files
- Registries
- Dependency Formats
- Version Specification
- Special Cases
- Vulnerability Database
- Example Cargo.toml
- Troubleshooting
Supported Files
| File | Description |
|---|---|
Cargo.toml |
Main dependency manifest |
Registries
crates.io (Default)
crates.io - The official Rust package registry
- Base URL:
https://crates.io/api/v1 - Rate limit: 1 request per second (strictly enforced)
- Documentation: crates.io
Alternative Registries
Dependi supports querying alternative Cargo registries (Kellnr, Cloudsmith, Artifactory, etc.) for dependencies that specify a registry field in Cargo.toml.
Configure alternative registries in your Zed settings.json:
{
"lsp": {
"dependi": {
"initialization_options": {
"registries": {
"cargo": {
"registries": {
"my-registry": {
"index_url": "https://my-registry.example.com/api/v1/crates",
"auth": {
"type": "env",
"variable": "MY_REGISTRY_TOKEN"
}
}
}
}
}
}
}
}
}
- The
index_urlis the sparse index URL (without thesparse+prefix) - Authentication can be configured via LSP settings or falls back to
~/.cargo/credentials.toml - Dependencies without a
registryfield are fetched from crates.io as usual
Dependency Formats
Dependi parses all standard Cargo dependency formats:
Simple Version
[dependencies]
serde = "1.0"
Version with Features
[dependencies]
tokio = { version = "1.0", features = ["full"] }
Inline Table
[dependencies]
serde = { version = "1.0", features = ["derive"] }
Development Dependencies
[dev-dependencies]
criterion = "0.5"
Build Dependencies
[build-dependencies]
cc = "1.0"
Version Specification
Cargo uses semantic versioning with these operators:
| Syntax | Meaning |
|---|---|
"1.0.0" |
Exactly 1.0.0 |
"^1.0" |
>=1.0.0, <2.0.0 (default) |
"~1.0" |
>=1.0.0, <1.1.0 |
"*" |
Any version |
">=1.0" |
1.0.0 or higher |
">=1.0, <2.0" |
Range |
Special Cases
Workspace Dependencies
[workspace.dependencies]
serde = "1.0"
[dependencies]
serde = { workspace = true }
Dependi tracks workspace dependencies in the root Cargo.toml.
Path Dependencies
[dependencies]
my-crate = { path = "../my-crate" }
Path dependencies show → Local hint (no registry lookup).
Git Dependencies
[dependencies]
my-crate = { git = "https://github.com/user/repo" }
Git dependencies show → Git hint (no registry lookup).
Alternative Registry Dependencies
[dependencies]
my-crate = { version = "0.1.0", registry = "my-registry" }
Dependencies with a registry field are fetched from the configured alternative registry. See Alternative Registries above for setup.
Yanked Versions
Yanked versions on crates.io show ⊘ Yanked hint. These versions should be updated immediately.
Vulnerability Database
Rust vulnerabilities are sourced from:
- RustSec Advisory Database
- GitHub Security Advisories
Example Cargo.toml
[package]
name = "my-project"
version = "0.1.0"
edition = "2021"
[dependencies]
serde = { version = "1.0", features = ["derive"] } # ✓
tokio = { version = "1.35", features = ["full"] } # -> 1.36.0
anyhow = "1.0" # ✓
ring = "0.16" # ⚠ 2 vulns
[dev-dependencies]
criterion = "0.5" # ✓
Troubleshooting
Rate Limiting
crates.io has strict rate limits (1 req/s). If you see intermittent failures:
- Wait for the rate limiter to reset
- Dependi automatically handles rate limiting with delays
- Large
Cargo.tomlfiles may take longer on first load
Name Normalization
Crate names are normalized: foo-bar and foo_bar are equivalent. Dependi handles this automatically.
Workspace Resolution
For workspace projects, open the root Cargo.toml to see all dependencies. Individual member Cargo.toml files inherit workspace versions.