cargo: strip credential-provider from .cargo/config.toml via TOML parsing#14359
Merged
jeffwidman merged 1 commit intomainfrom Mar 4, 2026
Merged
Conversation
jeffwidman
force-pushed
the
fix-cargo-strip-credential-provider-from-config
branch
from
23a8e63 to
155b6a3
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR ensures Dependabot’s Cargo integration doesn’t trigger Cargo’s local credential lookup when a repo’s .cargo/config(.toml) sets credential-provider, so authentication is handled exclusively by the Dependabot proxy.
Changes:
- Add
Helpers.sanitize_cargo_configto parse TOML and removecredential-providerfrom[registries.*]and[registry]. - Write a sanitized Cargo config into the temporary working directory in both the lockfile updater and version resolver paths.
- Add RSpec coverage for sanitizing per-registry, global, mixed, and malformed TOML configs.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| cargo/lib/dependabot/cargo/helpers.rb | Adds TOML-based sanitization to remove credential-provider (with parse-error fallback). |
| cargo/lib/dependabot/cargo/file_updater/lockfile_updater.rb | Writes sanitized Cargo config into the temp workspace before running Cargo. |
| cargo/lib/dependabot/cargo/update_checker/version_resolver.rb | Writes sanitized Cargo config into the temp workspace before running Cargo. |
| cargo/spec/dependabot/cargo/helpers_spec.rb | Adds tests for sanitization behavior and malformed TOML fallback. |
jeffwidman
force-pushed
the
fix-cargo-strip-credential-provider-from-config
branch
10 times, most recently
from
875ce5e to
2490011
Compare
jeffwidman
commented
Mar 3, 2026
jeffwidman
force-pushed
the
fix-cargo-strip-credential-provider-from-config
branch
from
2490011 to
47d80d5
Compare
kbukum1
reviewed
Mar 3, 2026
jeffwidman
force-pushed
the
fix-cargo-strip-credential-provider-from-config
branch
from
47d80d5 to
0816e14
Compare
kbukum1
previously approved these changes
Mar 3, 2026
jeffwidman
force-pushed
the
fix-cargo-strip-credential-provider-from-config
branch
from
0816e14 to
51743e4
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
You can also share your feedback on Copilot code review. Take the survey.
jeffwidman
commented
Mar 3, 2026
| File.write(lockfile.name, lockfile.content) | ||
| File.write(T.must(toolchain).name, T.must(toolchain).content) if toolchain | ||
| return unless config | ||
| config_file = config |
Member
Author
There was a problem hiding this comment.
This is Sorbet variable narrowing... so that we don't have to have another T.must() call... this is arguably more readable.
jeffwidman
force-pushed
the
fix-cargo-strip-credential-provider-from-config
branch
from
51743e4 to
c861903
Compare
## Problem PR #14340 set `CARGO_REGISTRY_GLOBAL_CREDENTIAL_PROVIDERS=""` to disable Cargo's credential lookup globally. However, per-registry `credential-provider` settings in .cargo/config.toml override the global env var: [registries.artifactory] credential-provider = "cargo:token" Cargo then invokes `cargo:token` for that registry, tries to look up `CARGO_REGISTRIES_ARTIFACTORY_TOKEN`, finds nothing, and fails with 'no token found'. ## Solution Parse .cargo/config.toml with TomlRB and strip `credential-provider` keys from both `[registries.*]` and `[registry]` sections before writing the config to the temporary working directory. Combined with the existing `CARGO_REGISTRY_GLOBAL_CREDENTIAL_PROVIDERS=""` from #14340, this ensures Cargo never tries to authenticate on its own — all HTTP requests go through the dependabot proxy unauthenticated, and the proxy injects the real credentials transparently. Uses `is_a?(Hash)` guards rather than `T.let` casts so that unexpected config structure (valid TOML but not the shape we expect) is safely skipped rather than raising. Fixes #14354
jeffwidman
force-pushed
the
fix-cargo-strip-credential-provider-from-config
branch
from
c861903 to
24f8437
Compare
jeffwidman
commented
Mar 3, 2026
|
|
||
| TomlRB.dump(parsed) | ||
| rescue TomlRB::Error => e | ||
| raise Dependabot::DependencyFileNotParseable.new( |
Member
Author
There was a problem hiding this comment.
This is a well-known error that we display to users so that if they hit problems, they can hopefully self-diagnose.
kbukum1
approved these changes
Mar 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
PR #14340 set
CARGO_REGISTRY_GLOBAL_CREDENTIAL_PROVIDERSto an empty string to disable Cargo's credential lookup globally. However, per-registrycredential-providersettings in.cargo/config.tomloverride the global env var:Cargo then tries to look up tokens locally and fails with
no token found.Solution
Parse
.cargo/config.tomlwith TomlRB and removecredential-providerkeys from both per-registry ([registries.*]) and global ([registry]) sections before writing the config to the temporary working directory.Combined with the existing
CARGO_REGISTRY_GLOBAL_CREDENTIAL_PROVIDERS=""from #14340, this ensures Cargo never tries to authenticate on its own. All HTTP requests go through the dependabot proxy unauthenticated, and the proxy injects the real credentials transparently.Why this works
Dependabot always proxies all Cargo HTTP traffic. The proxy intercepts requests and injects the real registry credentials. Cargo itself never needs to authenticate — it just needs to not try to look up tokens. This PR + #14340 together ensure that:
CARGO_REGISTRY_GLOBAL_CREDENTIAL_PROVIDERS="") — cargo: Bypass Cargo credential providers, rely on proxy for registry auth #14340Approach
Uses TomlRB to properly parse and rewrite the config rather than regex, avoiding edge cases with TOML formatting. Falls back to the original content if parsing fails.
See also
Fixes #14354
Related: #14030, #14094