clap 4.6.1 is the umbrella re-export crate for the clap argument-parser ecosystem; it re-exports clap_builder wholesale and optionally re-exports clap_derive macros. The crate enforces #![forbid(unsafe_code)], contains no independent logic, no I/O, no build scripts, and no compiled binary assets. No findings were recorded.
clap 4.6.1 is the top-level umbrella crate for the clap command-line argument parser ecosystem. It re-exports the complete public API of clap_builder and optionally re-exports procedural macros (Parser, Args, Subcommand, ValueEnum) from clap_derive when the derive feature is enabled. The crate's own source contains only the re-export declarations, doc-only modules (_concepts, _cookbook, _derive, _faq, _features, _tutorial) gated on the unstable-doc feature flag, and a stdio-fixture binary used by the upstream test suite.
The published crate contents were compared against the upstream Git repository at the commit recorded in .cargo_vcs_info.json using diff -rq. All source files in contents/src/ (22 files, 1670 total lines) were read in full. Both Cargo.toml and Cargo.toml.orig were read. The source code was surveyed with grep for unsafe blocks, FFI, network, filesystem, process execution, environment variable access, crypto, RNG, and concurrency patterns. Tools used: openvet 0.6.0, diff, find, grep, wc.
The diff between the published crate and the VCS checkout shows no differences in any source file. The only difference is in Cargo.toml, which is the cargo-normalised version of the workspace manifest as expected.
The crate root (src/lib.rs) bears #![forbid(unsafe_code)], and grep confirms zero unsafe blocks, FFI declarations, or memory-unsafe patterns anywhere in contents/src/, justifying uses-unsafe=false. The crate contains no network, filesystem, process execution, environment variable reads, cryptographic operations, or concurrency primitives; all such capabilities live entirely in clap_builder, which is a separate audit target. This justifies uses-network=false, uses-filesystem=false, uses-exec=false, uses-environment=false, uses-crypto=false, uses-concurrency=false, uses-jit=false, uses-interpreter=false.
No build script is present (build = false in Cargo.toml), justifying has-build-exec=false and has-install-exec=false. No pre-compiled binary assets are present in the package contents, justifying has-binaries=false. The src/bin/stdio-fixture.rs binary is a Rust source file, not a compiled artifact, used by the upstream trycmd test suite.
Tests are not published with this crate (tests/ is excluded from the published package per the include list in Cargo.toml); they exist in the VCS repository under the workspace but are outside the scope of this package, justifying has-unit-tests=false and has-integration-tests=false. No fuzz or property tests are included in the published crate, justifying has-fuzz-tests=false and has-property-tests=false.
This crate implements no independent logic: it delegates everything to clap_builder and optionally clap_derive. This justifies impl-parser=false, impl-algorithm=false, impl-datastructure=false, impl-crypto=false, impl-protocol=false, impl-concurrency=false, impl-interpreter=false, impl-jit=false.
No obfuscated code, base64 blobs, suspicious network endpoints, timing-based behaviour, or telemetry was found, justifying is-benign=true.
No findings were recorded.
clap 4.6.1 is a thin re-export facade over clap_builder and optionally clap_derive. The crate root is 111 lines, enforces #![forbid(unsafe_code)], and contains no independent logic. The doc-only modules add documentation but no executable behaviour. The two runtime dependencies are the packages that actually implement all functionality and warrant their own audits.
No findings.
src/bin/stdio-fixture.rsA test fixture binary used by trycmd integration tests in the VCS repository. It exercises clap's builder API to construct a Command with subcommands, flags, and options. Contains no logic beyond argument declaration and get_matches(). No I/O beyond stdout/stderr from clap itself. Justifies has-binaries=false (source, not a compiled binary artifact).
src/lib.rsThe crate root. It declares #![forbid(unsafe_code)], establishing that this crate itself contains no unsafe Rust, justifying uses-unsafe=false. All public API is delegated through pub use clap_builder::*. The optional derive feature re-exports clap_derive::{self, Args, Parser, Subcommand, ValueEnum}. The _concepts, _cookbook, _derive, _faq, _features, and _tutorial modules are doc-only modules gated on unstable-doc, containing no executable logic. No network, filesystem, exec, environment, or crypto usage is present, justifying uses-network=false, uses-filesystem=false, uses-exec=false, uses-environment=false, uses-crypto=false. This crate is a pure re-export facade with no independent implementation, justifying impl-parser=false, impl-algorithm=false, impl-datastructure=false, impl-crypto=false, impl-protocol=false, impl-concurrency=false, impl-interpreter=false, impl-jit=false. No malicious code is present, justifying is-benign=true.