Automic VaultAutomic Vault

brew

Install cargo-crev with Homebrew, apk, Nix, pacman

Code review system for the cargo package manager. Version 0.27.1 via Homebrew; verified 2026-06-22.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install cargo-crev

local Homebrew formula metadata

Linux

Alpine Linux apkverified · 92%
sudo apk add cargo-crev

Alpine Linux edge package indexes · cargo-crev · source: dl-cdn.alpinelinux.org

Nixverified · 92%
nix profile install nixpkgs#cargo-crev

nixpkgs package indexes · pkgs/by-name/ca/cargo-crev/package.nix · source: api.github.com

Arch Linux pacmanverified · 92%
sudo pacman -S cargo-crev

Arch Linux sync databases · cargo-crev · source: geo.mirror.pkgbuild.com

overview

Package summary

Code review system for the cargo package manager

Commands and aliases

  • cargo-crev

history

Project history and usage

cargo-crev is a cryptographically verifiable code-review and trust tool for Cargo dependencies. It implements the broader Crev idea for Rust by letting users publish package reviews, consume reviews from others, and build a web of trust around crates.

Project history

The repository was created in 2018 and the README describes Crev as a language- and ecosystem-agnostic distributed code-review system. cargo-crev is the Cargo-integrated command-line implementation for Rust users.

Early project history is tied to the dpc/crev lineage; later changelog entries and repository organization show the project under crev-dev/cargo-crev, with continued releases and documentation for trust, package review, verification, and proof repositories.

Adoption history

cargo-crev emerged during growing Rust concern over transitive dependency trust and supply-chain review. Its adoption is more cultural than universal: the README asks supportive projects to recommend it, while package-manager availability in apk, Homebrew, Nix, and pacman makes it accessible to security-minded developers.

The tool has remained active through 2026. The changelog records later features such as exporting toward cargo-vet workflows and AI-assisted review-loop commands, showing that it continues to adapt to Rust supply-chain review practice.

How it is used

Users initialize an identity and proof repository, review crates, publish signed proofs, fetch other users' proofs, and run verification commands against project dependencies. The tool can warn about untrustworthy crates, report dependency metrics, and help identify dependency bloat.

Unlike scanners that only consume centralized advisories, cargo-crev is built around human review statements and trust delegation. That makes it useful when a team wants auditable social trust, not only vulnerability matching.

Why package nerds care

cargo-crev is one of the Rust ecosystem's most explicit attempts to make package trust a first-class artifact. It treats reviews as distributed, cryptographically verifiable package metadata rather than comments trapped in a website or issue tracker.

For package-history work, it is important because it documents an alternative path for supply-chain security: reviewer reputation, signed proofs, and webs of trust alongside registries and vulnerability databases.

Timeline

  • 2018: GitHub repository created.
  • 2018: crates.io records the first cargo-crev publication.
  • 2022: Changelog records proof storage moving toward data directories and new web-of-trust diagnostics.
  • 2025: Changelog records crevette export support toward cargo-vet.
  • 2026: Changelog records 0.27.x releases adding AI review-loop commands and Rust 2024 edition work.

Related projects

  • Crev is the ecosystem-agnostic distributed code-review system that cargo-crev implements for Cargo.
  • cargo-vet is a related Rust supply-chain review tool, and the cargo-crev changelog mentions crevette export support toward cargo-vet.
  • RustSec-style advisory databases address vulnerability matching, while cargo-crev focuses on signed human trust and review proofs.

security posture

Risk level: orange

infrastructure mutation or orchestration signal.

Risk classifier

orange risk · medium confidence · infrastructure

Why

  • infrastructure mutation or orchestration signal

Signals

  • text:package manager

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Installs with 1 runtime dependencies.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
~/.config/crev/proofs/<proof-repository-id>

executables

Installed executables

CommandKindExposureNote
cargo-crevcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version0.27.1
manager updated2026-06-22
local dataok
upstreamcurrent
latest detectedv0.27.1

https://github.com/crev-dev/cargo-crev

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:cargo-crev
Version0.27.1
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/cargo-crev
Homepagehttps://github.com/crev-dev/cargo-crev
Repositoryhttps://github.com/crev-dev/cargo-crev
Upstream docshttps://github.com/crev-dev/cargo-crev#readme
LicenseApache-2.0
Source archivehttps://github.com/crev-dev/cargo-crev/archive/refs/tags/v0.27.1.tar.gz
Last updated2026-06-22T14:02:57-07:00
Pulseupdated
Dependenciesopenssl@3
Build dependenciesrust
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namecargo-crev
Version Scheme0
Revision0
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

cargo-crev

nix profile install nixpkgs#cargo-crev
  • normalized package name match
  • Matched by: Cargo Crev
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/ca/cargo-crev/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
apk95%

cargo-crev 0.26.3-r0

Cryptographically verifiable code review system for cargo

https://github.com/crev-dev/cargo-crev

sudo apk add cargo-crev
  • License: MPL-2.0 OR MIT OR Apache-2.0
  • Architecture: x86_64
  • Source Package: cargo-crev
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Cargo Crev
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: cargo-crev from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz
pacman95%

cargo-crev 0.27.1-2

Scalable, social, Code REView and recommendation system that we desperately need

https://github.com/crev-dev/cargo-crev

sudo pacman -S cargo-crev
  • License: MPL-2.0 AND Apache-2.0 AND MIT
  • Architecture: x86_64
  • 5 dependencies
  • normalized package name match
  • Matched by: Cargo Crev
Arch Linux sync databases · geo.mirror.pkgbuild.com · Arch Linux sync databases: cargo-crev from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment