From 37dded471d9cea466e61e814fcf0bc85fe25c115 Mon Sep 17 00:00:00 2001
From: Joel Gallant <joel@joelgallant.me>
Date: Sat, 6 Oct 2018 18:20:24 -0600
Subject: [PATCH] Rejects wildcard dependency constraints in cargo publish

Fixes #5941
---
 src/cargo/ops/registry.rs  | 10 ++++++++++
 tests/testsuite/publish.rs | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/src/cargo/ops/registry.rs b/src/cargo/ops/registry.rs
index 34c8fa0bbe4..f5ffeb9fcca 100644
--- a/src/cargo/ops/registry.rs
+++ b/src/cargo/ops/registry.rs
@@ -9,6 +9,7 @@ use git2;
 use registry::{NewCrate, NewCrateDependency, Registry};
 
 use url::percent_encoding::{percent_encode, QUERY_ENCODE_SET};
+use semver::VersionReq;
 
 use core::dependency::Kind;
 use core::manifest::ManifestMetadata;
@@ -136,6 +137,15 @@ fn verify_dependencies(pkg: &Package, registry_src: &SourceId) -> CargoResult<()
                     dep.source_id()
                 );
             }
+        } else if *dep.version_req() == VersionReq::parse("*").unwrap() {
+            // crates.io rejects wildcard (`*`) dependency constraints (issue 5941)
+            // https://doc.rust-lang.org/cargo/faq.html#can-libraries-use--as-a-version-for-their-dependencies
+            bail!(
+                "the dependency `{}` used a wildcard (`*`) as a version, crates.io will not accept \
+                packages with wildcard dependency constraint\nfor more information, see the FAQ: \
+                https://doc.rust-lang.org/cargo/faq.html#can-libraries-use--as-a-version-for-their-dependencies",
+                dep.package_name()
+            )
         }
     }
     Ok(())
diff --git a/tests/testsuite/publish.rs b/tests/testsuite/publish.rs
index 53b6cb3e541..ceb625e22a4 100644
--- a/tests/testsuite/publish.rs
+++ b/tests/testsuite/publish.rs
@@ -617,6 +617,40 @@ See [..]
     assert!(!publish::upload_path().join("api/v1/crates/new").exists());
 }
 
+#[test]
+fn dry_run_crates_io() {
+    publish::setup();
+
+    let p = project()
+        .file(
+            "Cargo.toml",
+            r#"
+            [project]
+            name = "foo"
+            version = "0.0.1"
+            authors = []
+            license = "MIT"
+            description = "foo"
+            [dependencies]
+            foo = "*"
+            "#,
+        ).file("src/main.rs", "fn main() {}")
+        .build();
+
+    p.cargo("publish --dry-run")
+        .with_status(101)
+        .with_stderr(
+            "    \
+    Updating crates.io index
+error: the dependency `foo` used a wildcard (`*`) as a version, crates.io will not accept packages with wildcard dependency constraint
+for more information, see the FAQ: https://doc.rust-lang.org/cargo/faq.html#can-libraries-use--as-a-version-for-their-dependencies
+",
+        ).run();
+
+    // Ensure the API request wasn't actually made
+    assert!(!publish::upload_path().join("api/v1/crates/new").exists());
+}
+
 #[test]
 fn block_publish_feature_not_enabled() {
     publish::setup();