Crates.io - Where Rust Packages Live

Crates.io is where Rust packages live. When you run cargo add serde, this is where it comes from. Unlike npm which seems to break every other Tuesday, crates.io actually works reliably. The Rust Foundation maintains the infrastructure, ensuring it stays free and accessible.

The biggest thing you need to know: once you publish a version, it's there forever. No takedowns, no vanishing packages that suddenly break your CI. This is both awesome and terrifying - publish version 0.1.0 with your API key in it, and congratulations, it's permanent. Learn this the hard way like the rest of us did. Check the publishing policies if you want the legal details.

As of September 2025, there are over 150,000 crates on crates.io, well beyond the 100,000 milestone reached in late 2022. Not npm's 2 million, but quality over quantity. You won't find 15 different ways to check if a number is odd. Browse the most popular crates to see what the community actually uses, or check lib.rs for better category browsing.

What Makes Crates.io Not Suck

• Works with Cargo out of the box - no separate install needed
• Automatic docs.rs documentation for every package
• Built-in security scanning through RustSec
• The search actually finds what you're looking for
• No random 404s or packages disappearing overnight

The Gotchas You'll Hit

• 10MB package limit - embed some assets and you'll hit this fast
• No private packages - everything's public, use alternative registries for internal stuff
• Publishing fails silently sometimes - always check the website after cargo publish
• Can't fix typos in published versions - that embarrassing typo in your README is now permanent
• GitHub OAuth required - no anonymous publishing

Built with Rust and axum, hosted on AWS. Rarely goes down, but when it does, the entire ecosystem explodes. Check the status page when cargo stops working. The source code is open if you're into that sort of thing.

Unlike PyPI where you can delete versions and break everyone's builds, or npm where packages vanish due to drama, crates.io's immutability means your Cargo.lock actually locks dependencies. This saved my ass when the left-pad equivalent happened in other ecosystems. Read about semantic versioning to understand why this matters.

These are the errors that'll ruin your day (September 2025)

The most common one? "this crate exists but you don't seem to be an owner" - translation: someone already took your brilliant package name. Workspace publishing still breaks randomly with "failed to verify package tarball" errors. Use cargo publish -p crate-name to work around it.

Path dependencies will bite you too - can't have path = "../other-crate" when publishing. Everything must be on crates.io first. And here's the fun one: your Cargo.lock gets ignored during publishing, so CI passes locally but fails when cargo resolves different dependency versions. Always run cargo publish --dry-run first.

Oh, and publishing can fail silently. Cargo says "success" but nothing shows up on the website. Always double-check.

Despite these quirks, crates.io is fucking brilliant. It's reliable, fast, and actually works. Compare that to npm's weekly drama or PyPI's inconsistent tooling, and you'll appreciate the Rust ecosystem's focus on stability over rapid iteration. When your build works on Monday and still works on Friday, that's not luck - that's good engineering.

Publishing to crates.io is mostly straightforward, except when it's not. Here's what actually happens when you try to share your Rust code with the world. Read the official publishing guide for the sanitized version.

The Publishing Dance

So you want to publish? First, you need GitHub because there's no choice. Then you go to crates.io, log in with GitHub OAuth, and generate an API token. Save this token somewhere safe or you're starting over from scratch.

Run cargo login and paste that token. Now fix your Cargo.toml because you definitely forgot half the required fields like license and description. Run cargo publish --dry-run to check if it builds... it doesn't. Fix your dependencies. Try cargo publish and pray to the Rust gods.

Where Publishing Breaks (And How to Fix It)

• "package not found" errors - your package name is taken or you typo'd it
• "email not verified" failures - check your spam folder for the verification email
• "forbidden" responses - your API token expired or you don't own this package name
• Build failures on docs.rs - your examples use dev-dependencies or broken links
• Size limit exceeded - you hit the 10MB limit, usually from including target/ or assets

The 10MB limit is a bastard. I've watched people try to publish ML models, game assets, or just completely forget to exclude their target/ directory. Use .cargo-ok file and `[package.exclude]` in Cargo.toml to avoid this nightmare. Check the crates.io FAQ for size optimization tips.

The Immutability Reality Check

Once you hit cargo publish, that version is carved in stone forever. No "oops" button. No fixing that typo in your README. No removing the accidentally committed password.

I learned this when I published a crate with "TODO: write better docs" as the entire README. That's still there, mocking me years later.

What Actually Works Well

• docs.rs integration - every crate gets free docs that actually build correctly
• RustSec scanning - `cargo audit` catches vulnerabilities automatically
• Semantic versioning - the tooling actually enforces semver properly
• Feature flags - optional dependencies that don't bloat your binary
• Cross-compilation support - publish once, works on all targets

The Search Is Actually Useful

Unlike npm's search which returns random garbage, crates.io search finds relevant packages. It sorts by downloads, recent updates, and relevance. Categories like "web-programming" and "cryptography" actually contain what you'd expect. Use lib.rs for even better browsing with more detailed filtering.

Team Management (When Your Project Grows)

You can add co-maintainers with `cargo owner --add username`. They get full permissions including adding/removing other owners. Trust carefully - there's no "read-only" access. Check the ownership docs for team management best practices.

What Still Sucks

• No private packages - everything's public, use alternative registries for internal code
• Documentation builds sometimes fail for weird dependency reasons
• Can't delete embarrassing early versions - version 0.0.1 with the terrible API is permanent
• Publishing can fail silently - always check the website to confirm it worked

Bottom line: Publishing to crates.io is like learning to drive stick - painful at first, but once you get the hang of it, you wonder how anyone tolerates the alternatives. The immutability might seem harsh, but it's what makes the Rust ecosystem reliable. Your dependencies won't vanish overnight, your builds won't break randomly, and you can actually trust your Cargo.lock file. That's worth a few publishing headaches.