Add warnings for yanked dependencies.

This only applies for `cargo package/publish` with the publish-lockfile feature,
or `cargo install --locked`.

Author: ehuss

src/cargo/core/package.rs

@@ -1,4 +1,4 @@
-use std::cell::{Cell, Ref, RefCell};
+use std::cell::{Cell, Ref, RefCell, RefMut};
 use std::cmp::Ordering;
 use std::collections::{HashMap, HashSet};
 use std::fmt;
@@ -454,6 +454,10 @@ impl<'cfg> PackageSet<'cfg> {
     pub fn sources(&self) -> Ref<'_, SourceMap<'cfg>> {
         self.sources.borrow()
     }
+
+    pub fn sources_mut(&self) -> RefMut<'_, SourceMap<'cfg>> {
+        self.sources.borrow_mut()
+    }
 }
 
 // When dynamically linked against libcurl, we want to ignore some failures

src/cargo/core/source/mod.rs

@@ -96,6 +96,10 @@ pub trait Source {
     /// queries, even if they are yanked. Currently only applies to registry
     /// sources.
     fn add_to_yanked_whitelist(&mut self, pkgs: &[PackageId]);
+
+    /// Query if a package is yanked. Only registry sources can mark packages
+    /// as yanked. This ignores the yanked whitelist.
+    fn is_yanked(&mut self, _pkg: PackageId) -> CargoResult<bool>;
 }
 
 pub enum MaybePackage {
@@ -169,6 +173,10 @@ impl<'a, T: Source + ?Sized + 'a> Source for Box<T> {
     fn add_to_yanked_whitelist(&mut self, pkgs: &[PackageId]) {
         (**self).add_to_yanked_whitelist(pkgs);
     }
+
+    fn is_yanked(&mut self, pkg: PackageId) -> CargoResult<bool> {
+        (**self).is_yanked(pkg)
+    }
 }
 
 impl<'a, T: Source + ?Sized + 'a> Source for &'a mut T {
@@ -227,6 +235,10 @@ impl<'a, T: Source + ?Sized + 'a> Source for &'a mut T {
     fn add_to_yanked_whitelist(&mut self, pkgs: &[PackageId]) {
         (**self).add_to_yanked_whitelist(pkgs);
     }
+
+    fn is_yanked(&mut self, pkg: PackageId) -> CargoResult<bool> {
+        (**self).is_yanked(pkg)
+    }
 }
 
 /// A `HashMap` of `SourceId` -> `Box<Source>`.

src/cargo/core/source/source_id.rs

@@ -228,14 +228,24 @@ impl SourceId {
         &self.inner.url
     }
 
-    pub fn display_registry(self) -> String {
+    pub fn display_index(self) -> String {
         if self.is_default_registry() {
             "crates.io index".to_string()
         } else {
             format!("`{}` index", url_display(self.url()))
         }
     }
 
+    pub fn display_registry_name(self) -> String {
+        if self.is_default_registry() {
+            "crates.io".to_string()
+        } else if let Some(name) = &self.inner.name {
+            name.clone()
+        } else {
+            url_display(self.url())
+        }
+    }
+
     /// Returns `true` if this source is from a filesystem path.
     pub fn is_path(self) -> bool {
         self.inner.kind == Kind::Path

src/cargo/ops/cargo_install.rs

@@ -8,7 +8,8 @@ use tempfile::Builder as TempFileBuilder;
 
 use crate::core::compiler::Freshness;
 use crate::core::compiler::{DefaultExecutor, Executor};
-use crate::core::{Edition, PackageId, Source, SourceId, Workspace};
+use crate::core::resolver::Method;
+use crate::core::{Edition, PackageId, PackageIdSpec, Source, SourceId, Workspace};
 use crate::ops;
 use crate::ops::common_for_install_and_uninstall::*;
 use crate::sources::{GitSource, SourceConfigMap};
@@ -306,6 +307,8 @@ fn install_one(
 
     config.shell().status("Installing", pkg)?;
 
+    check_yanked_install(&ws)?;
+
     let exec: Arc<dyn Executor> = Arc::new(DefaultExecutor);
     let compile = ops::compile_ws(&ws, Some(source), opts, &exec).chain_err(|| {
         if let Some(td) = td_opt.take() {
@@ -481,6 +484,32 @@ fn install_one(
     }
 }
 
+fn check_yanked_install(ws: &Workspace<'_>) -> CargoResult<()> {
+    if ws.ignore_lock() || !ws.root().join("Cargo.lock").exists() {
+        return Ok(());
+    }
+    let specs = vec![PackageIdSpec::from_package_id(ws.current()?.package_id())];
+    // It would be best if `source` could be passed in here to avoid a
+    // duplicate "Updating", but since `source` is taken by value, then it
+    // wouldn't be available for `compile_ws`.
+    let (pkg_set, resolve) = ops::resolve_ws_with_method(ws, None, Method::Everything, &specs)?;
+    let mut sources = pkg_set.sources_mut();
+    for pkg_id in resolve.iter() {
+        if let Some(source) = sources.get_mut(pkg_id.source_id()) {
+            if source.is_yanked(pkg_id)? {
+                ws.config().shell().warn(format!(
+                    "package `{}` in Cargo.lock is yanked in registry `{}`, \
+                     consider running without --locked",
+                    pkg_id,
+                    pkg_id.source_id().display_registry_name()
+                ))?;
+            }
+        }
+    }
+
+    Ok(())
+}
+
 /// Display a list of installed binaries.
 pub fn install_list(dst: Option<&str>, config: &Config) -> CargoResult<()> {
     let root = resolve_root(dst, config)?;

src/cargo/ops/cargo_package.rs

@@ -12,7 +12,9 @@ use tar::{Builder, EntryType, Header};
 
 use crate::core::compiler::{BuildConfig, CompileMode, DefaultExecutor, Executor};
 use crate::core::resolver::Method;
-use crate::core::{Package, PackageId, PackageIdSpec, Resolve, Source, SourceId, Workspace};
+use crate::core::{
+    Package, PackageId, PackageIdSpec, PackageSet, Resolve, Source, SourceId, Workspace,
+};
 use crate::ops;
 use crate::sources::PathSource;
 use crate::util::errors::{CargoResult, CargoResultExt};
@@ -425,12 +427,14 @@ fn tar(
         let new_pkg = src.root_package()?;
         let specs = vec![PackageIdSpec::from_package_id(new_pkg.package_id())];
         let tmp_ws = Workspace::ephemeral(new_pkg, config, None, true)?;
-        let new_resolve = ops::resolve_ws_with_method(&tmp_ws, None, Method::Everything, &specs)?.1;
+        let (pkg_set, new_resolve) =
+            ops::resolve_ws_with_method(&tmp_ws, None, Method::Everything, &specs)?;
         // resolve_ws_with_method won't save for ephemeral, do it manually.
         ops::write_pkg_lockfile(&tmp_ws, &new_resolve)?;
         if let Some(orig_resolve) = orig_resolve {
             compare_resolve(config, tmp_ws.current()?, &orig_resolve, &new_resolve)?;
         }
+        check_yanked(config, &pkg_set, &new_resolve)?;
 
         let toml = paths::read(&new_lock_path)?;
         let path = format!(
@@ -536,6 +540,23 @@ fn compare_resolve(
     Ok(())
 }
 
+fn check_yanked(config: &Config, pkg_set: &PackageSet<'_>, resolve: &Resolve) -> CargoResult<()> {
+    let mut sources = pkg_set.sources_mut();
+    for pkg_id in resolve.iter() {
+        if let Some(source) = sources.get_mut(pkg_id.source_id()) {
+            if source.is_yanked(pkg_id)? {
+                config.shell().warn(format!(
+                    "package `{}` in Cargo.lock is yanked in registry `{}`, \
+                     consider updating to a version that is not yanked",
+                    pkg_id,
+                    pkg_id.source_id().display_registry_name()
+                ))?;
+            }
+        }
+    }
+    Ok(())
+}
+
 fn run_verify(ws: &Workspace<'_>, tar: &FileLock, opts: &PackageOpts<'_>) -> CargoResult<()> {
     let config = ws.config();
     let pkg = ws.current()?;

src/cargo/sources/directory.rs

@@ -214,4 +214,8 @@ impl<'cfg> Source for DirectorySource<'cfg> {
     }
 
     fn add_to_yanked_whitelist(&mut self, _pkgs: &[PackageId]) {}
+
+    fn is_yanked(&mut self, _pkg: PackageId) -> CargoResult<bool> {
+        Ok(false)
+    }
 }

src/cargo/sources/git/source.rs

@@ -239,6 +239,10 @@ impl<'cfg> Source for GitSource<'cfg> {
     }
 
     fn add_to_yanked_whitelist(&mut self, _pkgs: &[PackageId]) {}
+
+    fn is_yanked(&mut self, _pkg: PackageId) -> CargoResult<bool> {
+        Ok(false)
+    }
 }
 
 #[cfg(test)]

src/cargo/sources/path.rs

@@ -575,4 +575,8 @@ impl<'cfg> Source for PathSource<'cfg> {
     }
 
     fn add_to_yanked_whitelist(&mut self, _pkgs: &[PackageId]) {}
+
+    fn is_yanked(&mut self, _pkg: PackageId) -> CargoResult<bool> {
+        Ok(false)
+    }
 }

src/cargo/sources/registry/index.rs

@@ -336,4 +336,13 @@ impl<'cfg> RegistryIndex<'cfg> {
         }
         Ok(count)
     }
+
+    pub fn is_yanked(&mut self, pkg: PackageId, load: &mut dyn RegistryData) -> CargoResult<bool> {
+        let summaries = self.summaries(pkg.name().as_str(), load)?;
+        let found = summaries
+            .iter()
+            .filter(|&(summary, _yanked)| summary.version() == pkg.version())
+            .any(|(_summary, yanked)| *yanked);
+        Ok(found)
+    }
 }

src/cargo/sources/registry/mod.rs

@@ -525,6 +525,7 @@ impl<'cfg> RegistrySource<'cfg> {
         let path = self.ops.index_path();
         self.index =
             index::RegistryIndex::new(self.source_id, path, self.config, self.index_locked);
+        self.updated = true;
         Ok(())
     }
 
@@ -645,10 +646,17 @@ impl<'cfg> Source for RegistrySource<'cfg> {
     }
 
     fn describe(&self) -> String {
-        self.source_id.display_registry()
+        self.source_id.display_index()
     }
 
     fn add_to_yanked_whitelist(&mut self, pkgs: &[PackageId]) {
         self.yanked_whitelist.extend(pkgs);
     }
+
+    fn is_yanked(&mut self, pkg: PackageId) -> CargoResult<bool> {
+        if !self.updated {
+            self.do_update()?;
+        }
+        self.index.is_yanked(pkg, &mut *self.ops)
+    }
 }