https://crates.io/search?q=fnmatch

https://crates.io/crates/fnmatch-regex at version v0.2.1, repository: https://gitlab.com/ppentchev/fnmatch-regex-rs

https://crates.io/crates/fnmatch-regex2 at version v0.4.0, repository: https://gitlab.com/brmmm3/fnmatch-regex2-rs (DO NOT SIGN IN, UNTIL WE KNOW ITS SAFE)

I was looking through some crates and noticed there is “fnmatch-regex2”, just below “fnmatch-regex”. The second one is newer; 4 months ago updated, compared to the original 12 months ago updated. And it has more recent downloads and a “higher version number”.

My first thought was, this either adds new functionality, or the old one is abandoned maybe? Looking in readme and documentation, I could not find anything that describes the differences. Looking at the source code on Gitlab, the first crate just shows it normally to me, but the second wants me to log in. My alarm glocks go on. Even the changelog for both are identical at version 0.2.1 (the original crate 1) without any word about changes, but the crate repository shows it should be at version v0.4.0.

I would like to know what you guys think about it. I can’t even audit the code right now, even if its the same Gitlab instance on gitlab.com. Should this be reported? Or am I just paranoid?

EDIT:

After asking in Discord, someone said I can view the source code in Docs.rs: https://docs.rs/crate/fnmatch-regex2/0.4.0/source/ . This is much better, but I am still cautious. I still don’t know what the actual changes are and would need to dive into the code and compare to find out. Which is not really something I expect to do from a trustful library.

  • Oscar@programming.devEnglish
    4·
    2 天前

    It’s likely a private/internal project, so you need to log in to prove you are allowed access. The same thing happens for one of my personal private projects.

    Edit: After logging in, the URL you posted 404’s.