'\" t
.TH "CARGO\-YANK" "1"
.nh
.ad l
.ss \n[.ss] 0
.SH "NAME"
cargo\-yank \[em] Remove a pushed crate from the index
.SH "SYNOPSIS"
\fBcargo yank\fR [\fIoptions\fR] \fIcrate\fR@\fIversion\fR
.br
\fBcargo yank\fR [\fIoptions\fR] \fB\-\-version\fR \fIversion\fR [\fIcrate\fR]
.SH "DESCRIPTION"
The yank command removes a previously published crate\[cq]s version from the
server\[cq]s index. This command does not delete any data, and the crate will
still be available for download via the registry\[cq]s download link.
.sp
Cargo will not use a yanked version for any new project or checkout without a
pre\-existing lockfile, and will generate an error if there are no longer
any compatible versions for your crate.
.sp
This command requires you to be authenticated with either the \fB\-\-token\fR option
or using \fBcargo\-login\fR(1).
.sp
If the crate name is not specified, it will use the package name from the
current directory.
.SS "How yank works"
For example, the \fBfoo\fR crate published version \fB1.5.0\fR and another crate \fBbar\fR
declared a dependency on version \fBfoo = "1.5"\fR\&. Now \fBfoo\fR releases a new, but
not semver compatible, version \fB2.0.0\fR, and finds a critical issue with \fB1.5.0\fR\&.
If \fB1.5.0\fR is yanked, no new project or checkout without an existing lockfile
will be able to use crate \fBbar\fR as it relies on \fB1.5\fR\&.
.sp
In this case, the maintainers of \fBfoo\fR should first publish a semver compatible
version such as \fB1.5.1\fR prior to yanking \fB1.5.0\fR so that \fBbar\fR and all projects
that depend on \fBbar\fR will continue to work.
.sp
As another example, consider a crate \fBbar\fR with published versions \fB1.5.0\fR,
\fB1.5.1\fR, \fB1.5.2\fR, \fB2.0.0\fR and \fB3.0.0\fR\&. The following table identifies the
versions cargo could use in the absence of a lockfile for different SemVer
requirements, following a given release being yanked:
.TS
allbox tab(:);
lt lt lt lt.
T{
Yanked Version / SemVer requirement
T}:T{
\fBbar = "1.5.0"\fR
T}:T{
\fBbar = "=1.5.0"\fR
T}:T{
\fBbar = "2.0.0"\fR
T}
T{
\fB1.5.0\fR
T}:T{
Use either \fB1.5.1\fR or \fB1.5.2\fR
T}:T{
\fBReturn Error\fR
T}:T{
Use \fB2.0.0\fR
T}
T{
\fB1.5.1\fR
T}:T{
Use either \fB1.5.0\fR or \fB1.5.2\fR
T}:T{
Use \fB1.5.0\fR
T}:T{
Use \fB2.0.0\fR
T}
T{
\fB2.0.0\fR
T}:T{
Use either \fB1.5.0\fR, \fB1.5.1\fR or \fB1.5.2\fR
T}:T{
Use \fB1.5.0\fR
T}:T{
\fBReturn Error\fR
T}
.TE
.sp
.SS "When to yank"
Crates should only be yanked in exceptional circumstances, for example, an
accidental publish, an unintentional SemVer breakages, or a significantly
broken and unusable crate. In the case of security vulnerabilities, \fIRustSec\fR
is typically a less disruptive mechanism to inform users and encourage them
to upgrade, and avoids the possibility of significant downstream disruption
irrespective of susceptibility to the vulnerability in question.
.sp
A common workflow is to yank a crate having already published a semver
compatible version, to reduce the probability of preventing dependent
crates from compiling.
.sp
When addressing copyright, licensing, or personal data issues with a published
crate, simply yanking it may not suffice. In such cases, contact the maintainers
of the registry you used. For crates.io, refer to their \fIpolicies\fR and contact
them at \&.
.sp
If credentials have been leaked, the recommended course of action is to revoke
them immediately. Once a crate has been published, it is impossible to determine
if the leaked credentials have been copied. Yanking the crate only prevents new
users from downloading it, but cannot stop those who have already downloaded it
from keeping or even spreading the leaked credentials.
.SH "OPTIONS"
.SS "Yank Options"
.sp
\fB\-\-vers\fR \fIversion\fR,
\fB\-\-version\fR \fIversion\fR
.RS 4
The version to yank or un\-yank.
.RE
.sp
\fB\-\-undo\fR
.RS 4
Undo a yank, putting a version back into the index.
.RE
.sp
\fB\-\-token\fR \fItoken\fR
.RS 4
API token to use when authenticating. This overrides the token stored in
the credentials file (which is created by \fBcargo\-login\fR(1)).
.sp
\fICargo config\fR environment variables can be
used to override the tokens stored in the credentials file. The token for
crates.io may be specified with the \fBCARGO_REGISTRY_TOKEN\fR environment
variable. Tokens for other registries may be specified with environment
variables of the form \fBCARGO_REGISTRIES_NAME_TOKEN\fR where \fBNAME\fR is the name
of the registry in all capital letters.
.RE
.sp
\fB\-\-index\fR \fIindex\fR
.RS 4
The URL of the registry index to use.
.RE
.sp
\fB\-\-registry\fR \fIregistry\fR
.RS 4
Name of the registry to use. Registry names are defined in \fICargo config
files\fR \&. If not specified, the default registry is used,
which is defined by the \fBregistry.default\fR config key which defaults to
\fBcrates\-io\fR\&.
.RE
.SS "Display Options"
.sp
\fB\-v\fR,
\fB\-\-verbose\fR
.RS 4
Use verbose output. May be specified twice for \[lq]very verbose\[rq] output which
includes extra output such as dependency warnings and build script output.
May also be specified with the \fBterm.verbose\fR
\fIconfig value\fR \&.
.RE
.sp
\fB\-q\fR,
\fB\-\-quiet\fR
.RS 4
Do not print cargo log messages.
May also be specified with the \fBterm.quiet\fR
\fIconfig value\fR \&.
.RE
.sp
\fB\-\-color\fR \fIwhen\fR
.RS 4
Control when colored output is used. Valid values:
.sp
.RS 4
\h'-04'\(bu\h'+02'\fBauto\fR (default): Automatically detect if color support is available on the
terminal.
.RE
.sp
.RS 4
\h'-04'\(bu\h'+02'\fBalways\fR: Always display colors.
.RE
.sp
.RS 4
\h'-04'\(bu\h'+02'\fBnever\fR: Never display colors.
.RE
.sp
May also be specified with the \fBterm.color\fR
\fIconfig value\fR \&.
.RE
.SS "Common Options"
.sp
\fB+\fR\fItoolchain\fR
.RS 4
If Cargo has been installed with rustup, and the first argument to \fBcargo\fR
begins with \fB+\fR, it will be interpreted as a rustup toolchain name (such
as \fB+stable\fR or \fB+nightly\fR).
See the \fIrustup documentation\fR
for more information about how toolchain overrides work.
.RE
.sp
\fB\-\-config\fR \fIKEY=VALUE\fR or \fIPATH\fR
.RS 4
Overrides a Cargo configuration value. The argument should be in TOML syntax of \fBKEY=VALUE\fR,
or provided as a path to an extra configuration file. This flag may be specified multiple times.
See the \fIcommand\-line overrides section\fR for more information.
.RE
.sp
\fB\-C\fR \fIPATH\fR
.RS 4
Changes the current working directory before executing any specified operations. This affects
things like where cargo looks by default for the project manifest (\fBCargo.toml\fR), as well as
the directories searched for discovering \fB\&.cargo/config.toml\fR, for example. This option must
appear before the command name, for example \fBcargo \-C path/to/my\-project build\fR\&.
.sp
This option is only available on the \fInightly
channel\fR and
requires the \fB\-Z unstable\-options\fR flag to enable (see
\fI#10098\fR ).
.RE
.sp
\fB\-h\fR,
\fB\-\-help\fR
.RS 4
Prints help information.
.RE
.sp
\fB\-Z\fR \fIflag\fR
.RS 4
Unstable (nightly\-only) flags to Cargo. Run \fBcargo \-Z help\fR for details.
.RE
.SH "ENVIRONMENT"
See \fIthe reference\fR for
details on environment variables that Cargo reads.
.SH "EXIT STATUS"
.sp
.RS 4
\h'-04'\(bu\h'+02'\fB0\fR: Cargo succeeded.
.RE
.sp
.RS 4
\h'-04'\(bu\h'+02'\fB101\fR: Cargo failed to complete.
.RE
.SH "EXAMPLES"
.sp
.RS 4
\h'-04' 1.\h'+01'Yank a crate from the index:
.sp
.RS 4
.nf
cargo yank foo@1.0.7
.fi
.RE
.RE
.SH "SEE ALSO"
\fBcargo\fR(1), \fBcargo\-login\fR(1), \fBcargo\-publish\fR(1)