> But the fact that at least on npm it was possible that someone else grabs a package ID after...

kibwen • yesterday at 11:39 AM • 2 replies • view on HN

> But the fact that at least on npm it was possible that someone else grabs a package ID after an author pulled its packages is kind of alarming.

Since your comment starts with commentary on crates.io, I'll note that this has never been possible crates.io.

> Dependency confusion attacks are still possible on cargo because the whole - vs _ as delimiter wasn’t settled in the beginning.

I don't think this has ever been true. AFAIK crates.io has always prevented registering two different crates whose names differ only in the use of dashes vs underscores.

> package namespaces

See https://github.com/rust-lang/rust/issues/122349

> proof of ownership

See https://github.com/rust-lang/rfcs/pull/3724 and https://blog.rust-lang.org/2025/07/11/crates-io-development-...

Replies

larusso • yesterday at 2:46 PM

You are right. I remembered it wrong.

https://rust-lang.github.io/rfcs/0940-hyphens-considered-har...

Was from 2015 and the other discussions I remember were around default style and that cargo already blocks a crate when normalized name is equal.

larusso • yesterday at 2:47 PM

The trusted publishing is rather new or? Awesome to see that they implemented it. Just saying that maven central required it already years ago.

➕ show 1 reply

alt Hacker News

Replies