`cargo vendor`: files listed in `.cargo-checksum.json` differ by operating system

[babolivier]

Problem

We use cargo vendor (wrapped in some automation of ours) to vendor our dependencies. Depending on who runs said automation, we've observed the resulting .cargo-checksum.json seems to be generated differently depending on the person's operating system. When running the command on Linux, hidden files in the crate's source (i.e. the files starting with .) are excluded from the .cargo-checksum.json; but they're not when the command runs on Windows.

See below the diff for the .cargo-checksum.json in one of our vendored dependencies, after running cargo vendor on Windows (the existing file had been previously generated and kept up to date by running the same command on Linux), where files such as .appveyor.yml or .rustfmt.toml are added to the file, which doesn't happen on Linux:

--- a/third_party/rust/ansi_term/.cargo-checksum.json
+++ b/third_party/rust/ansi_term/.cargo-checksum.json
@@ -1,1 +1,1 @@
-{"files":{"Cargo.lock":"31bb7b361278d99a00595cbd916c444e6fd193b5f0b1ea0cf2d9454440739501","Cargo.toml":"4ca681d6949661455ac88541ffa68ebc7db50cb2b6e9a2134e6d0687da4997c3","LICENCE":"2762990c7fbba9d550802a2593c1d857dcd52596bb0f9f192a97e9a7ac5f4f9e","README.md":"8d983e1bb3cc99724010d9073a5be6452cd49bd57a877525fd0a5dd41e6591d5","examples/256_colours.rs":"5f2845068bc2d93cff4a61f18ffa44fbbbc91be771dfd686d537d343f37041da","examples/basic_colours.rs":"d610795f3743d10d90ec4e5ab32cc09fb16640896cecd2f93fca434a0920397c","examples/rgb_colours.rs":"8399e5131e959a56c932036b790e601fb4ad658856112daf87f933889b443f2c","src/ansi.rs":"988fb87936064fa006fcc9474ac62099c8d6e98d38bb80cec2cd864066482a08","src/debug.rs":"61343f8bf13695020102c033aeaacd9ccd3ec830eacbf9011127e61829451d20","src/difference.rs":"9b4b8f91c72932bfda262abdceff0ec124a5a8dd27d07bd4d2e5e7889135c6c9","src/display.rs":"c04f2397d1d1d86a5e2188c2840c505cb0baeaf9706a88d4bbe56eadc67811b9","src/lib.rs":"b85df4b9b8832cda777db049efa2ec84b9847438fa3feaf8540e597ce2532a47","src/style.rs":"1042fc973f5ea8bbb2a2faec334aad530520b53edc9b3296174ae38c1060490b","src/util.rs":"07c127f732887573a1c9126fc0288e13e7a8f1f803513b95e50aac2905171b0d","src/windows.rs":"7ce7dd6738b9728fcd3908c284b6f29a9bdfb34af761b4c7385cf7e3e1b20e64","src/write.rs":"c9ec03764ad1ecea8b680243c9cafc5e70919fcea7500cc18246ffd8f6bb4b33"},"package":"d52a9bb7ec0cf484c551830a7ce27bd20d67eac647e1befb56b0be4ee39a55d2"}
\ No newline at end of file
+{"files":{".appveyor.yml":"dc18e08f20a732eadcc795e8415d3f1c3db42cb53e08a37a3c3fc2e491e13126",".cargo_vcs_info.json":"c50b5a1bf1149608ba4d9d7a4ef07c84fc56ef16831f90ce4c1597d2231dc102",".rustfmt.toml":"67eadc5b3de4ec436094e2a0cd2615180521a835fe2c74a69fa08a93735aefc0",".travis.yml":"2c8011ac77dbefaada1c4fa9e4556bfa48ac6b8fd62f332a4ba4e63eb61412a4","Cargo.lock":"31bb7b361278d99a00595cbd916c444e6fd193b5f0b1ea0cf2d9454440739501","Cargo.toml":"4ca681d6949661455ac88541ffa68ebc7db50cb2b6e9a2134e6d0687da4997c3","Cargo.toml.orig":"8fef8834a60c530d2d948340fd43d8faf711650ff23abcc9b8eed0fb9a6b73ae","LICENCE":"2762990c7fbba9d550802a2593c1d857dcd52596bb0f9f192a97e9a7ac5f4f9e","README.md":"8d983e1bb3cc99724010d9073a5be6452cd49bd57a877525fd0a5dd41e6591d5","examples/256_colours.rs":"5f2845068bc2d93cff4a61f18ffa44fbbbc91be771dfd686d537d343f37041da","examples/basic_colours.rs":"d610795f3743d10d90ec4e5ab32cc09fb16640896cecd2f93fca434a0920397c","examples/rgb_colours.rs":"8399e5131e959a56c932036b790e601fb4ad658856112daf87f933889b443f2c","src/ansi.rs":"988fb87936064fa006fcc9474ac62099c8d6e98d38bb80cec2cd864066482a08","src/debug.rs":"61343f8bf13695020102c033aeaacd9ccd3ec830eacbf9011127e61829451d20","src/difference.rs":"9b4b8f91c72932bfda262abdceff0ec124a5a8dd27d07bd4d2e5e7889135c6c9","src/display.rs":"c04f2397d1d1d86a5e2188c2840c505cb0baeaf9706a88d4bbe56eadc67811b9","src/lib.rs":"b85df4b9b8832cda777db049efa2ec84b9847438fa3feaf8540e597ce2532a47","src/style.rs":"1042fc973f5ea8bbb2a2faec334aad530520b53edc9b3296174ae38c1060490b","src/util.rs":"07c127f732887573a1c9126fc0288e13e7a8f1f803513b95e50aac2905171b0d","src/windows.rs":"7ce7dd6738b9728fcd3908c284b6f29a9bdfb34af761b4c7385cf7e3e1b20e64","src/write.rs":"c9ec03764ad1ecea8b680243c9cafc5e70919fcea7500cc18246ffd8f6bb4b33"},"package":"d52a9bb7ec0cf484c551830a7ce27bd20d67eac647e1befb56b0be4ee39a55d2"}
\ No newline at end of file

Steps

1. Add a dependency which source include "hidden" files such as ansi_term to your project
2. Run cargo vendor on Linux
3. Observe that vendor/ansi_term/.cargo-checksum.json doesn't include any of these "hidden" files
4. In the same conditions (possibly even reusing the same project), run cargo vendor on Windows
5. Observe that vendor/ansi_term/.cargo-checksum.json now includes "hidden" files such as such as .appveyor.yml or .rustfmt.toml

Possible Solution(s)

I'm not entirely sure whether the bug is that these files are added on Windows, or ignored on Linux, but it seems to me like the generation of this file should be deterministic regardless of the operating system. So either these files should be included when using Linux, or ignored when using Windows.

Notes

No response

Version

cargo 1.90.0 (840b83a10 2025-07-30)
release: 1.90.0
commit-hash: 840b83a10fb0e039a83f4d70ad032892c287570a
commit-date: 2025-07-30
host: x86_64-pc-windows-msvc
libgit2: 1.9.1 (sys:0.20.2 vendored)
libcurl: 8.14.1-DEV (sys:0.4.82+curl-8.14.1 vendored ssl:Schannel)
os: Windows 10.0.26100 (Windows 11 Core) [64-bit]

[weihanglo]

I was under the impression that #15514 (released in 1.89) should have fixed that issue already, as Cargo directly extracts vendored source from .crate tarballs for regisitry source. Could you check again you're using 1.89 and the bad crate is a registry dependency?

[epage]

With Cargo 1.90, I just ran

$ cargo --version --verbose
cargo 1.90.0 (840b83a10 2025-07-30)
release: 1.90.0
commit-hash: 840b83a10fb0e039a83f4d70ad032892c287570a
commit-date: 2025-07-30
host: x86_64-unknown-linux-gnu
libgit2: 1.9.1 (sys:0.20.2 vendored)
libcurl: 8.14.1-DEV (sys:0.4.82+curl-8.14.1 vendored ssl:OpenSSL/3.5.0)
ssl: OpenSSL 3.5.0 8 Apr 2025
os: Pop!_OS 22.4.0 (jammy) [64-bit]
$ cargo new cargo-16068
$ cd cargo-16068
$ cargo add ansi_term
$ cargo vendor
$ cat vendor/ansi_term/.cargo-checksum.json | jq
{
  "files": {
    ".appveyor.yml": "dc18e08f20a732eadcc795e8415d3f1c3db42cb53e08a37a3c3fc2e491e13126",
    ".cargo_vcs_info.json": "c50b5a1bf1149608ba4d9d7a4ef07c84fc56ef16831f90ce4c1597d2231dc102",
    ".rustfmt.toml": "67eadc5b3de4ec436094e2a0cd2615180521a835fe2c74a69fa08a93735aefc0",
    ".travis.yml": "2c8011ac77dbefaada1c4fa9e4556bfa48ac6b8fd62f332a4ba4e63eb61412a4",
    "Cargo.lock": "31bb7b361278d99a00595cbd916c444e6fd193b5f0b1ea0cf2d9454440739501",
    "Cargo.toml": "4ca681d6949661455ac88541ffa68ebc7db50cb2b6e9a2134e6d0687da4997c3",
    "Cargo.toml.orig": "8fef8834a60c530d2d948340fd43d8faf711650ff23abcc9b8eed0fb9a6b73ae",
    "LICENCE": "2762990c7fbba9d550802a2593c1d857dcd52596bb0f9f192a97e9a7ac5f4f9e",
    "README.md": "8d983e1bb3cc99724010d9073a5be6452cd49bd57a877525fd0a5dd41e6591d5",
    "examples/256_colours.rs": "5f2845068bc2d93cff4a61f18ffa44fbbbc91be771dfd686d537d343f37041da",
    "examples/basic_colours.rs": "d610795f3743d10d90ec4e5ab32cc09fb16640896cecd2f93fca434a0920397c",
    "examples/rgb_colours.rs": "8399e5131e959a56c932036b790e601fb4ad658856112daf87f933889b443f2c",
    "src/ansi.rs": "988fb87936064fa006fcc9474ac62099c8d6e98d38bb80cec2cd864066482a08",
    "src/debug.rs": "61343f8bf13695020102c033aeaacd9ccd3ec830eacbf9011127e61829451d20",
    "src/difference.rs": "9b4b8f91c72932bfda262abdceff0ec124a5a8dd27d07bd4d2e5e7889135c6c9",
    "src/display.rs": "c04f2397d1d1d86a5e2188c2840c505cb0baeaf9706a88d4bbe56eadc67811b9",
    "src/lib.rs": "b85df4b9b8832cda777db049efa2ec84b9847438fa3feaf8540e597ce2532a47",
    "src/style.rs": "1042fc973f5ea8bbb2a2faec334aad530520b53edc9b3296174ae38c1060490b",
    "src/util.rs": "07c127f732887573a1c9126fc0288e13e7a8f1f803513b95e50aac2905171b0d",
    "src/windows.rs": "7ce7dd6738b9728fcd3908c284b6f29a9bdfb34af761b4c7385cf7e3e1b20e64",
    "src/write.rs": "c9ec03764ad1ecea8b680243c9cafc5e70919fcea7500cc18246ffd8f6bb4b33"
  },
  "package": "d52a9bb7ec0cf484c551830a7ce27bd20d67eac647e1befb56b0be4ee39a55d2"
}

Are you sure that cargo vendor was run with cargo 1.90? Starting with 1.89 (#15514), cargo vendor does a direct extraction from the .crate file. Before that, we created a .crate from a .crate to vendor which was a lossy process.

[babolivier]

Ah, right, that's it. I thought it was due to different operating systems, but it turns out when testing with Windows we used 1.90 and when testing with Linux we used 1.88 (I thought I had updated my local Cargo so I could test with the latest version but it looks like I misremembered). Thanks!