Cargo-fund: discover funding links for your project's dependencies

Hey folks, I have just released a side project I've been working on for a bit: cargo-fund. It looks at your workspace's transitive dependencies, searches the Github API for sponsorship information, and displays the funding links associated with those dependencies.

For example, running cargo fund on itself looks like this (edited with new environment variable):

$ CARGO_FUND_GITHUB_API_TOKEN=... cargo fund
/path/to/cargo-fund (found funding links for 21 out of 149 dependencies)
├─┬─ https://www.buymeacoffee.com/dannyguo
│ ├─ https://www.paypal.me/DannyGuo
│ └─ https://ko-fi.com/dannyguo
│    └─ strsim 0.8.0
├─── https://github.com/sponsors/XAMPPRocky
│    └─ remove_dir_all 0.5.2
├─── https://github.com/sponsors/dtolnay
│    ├─ anyhow 1.0.28
│    ├─ dtoa 0.4.5
│    ├─ itoa 0.4.5
│    ├─ quote 1.0.3
│    ├─ ryu 1.0.4
│    └─ syn 1.0.18
├─── https://github.com/sponsors/seanmonstar
│    ├─ httparse 1.3.4
│    ├─ num_cpus 1.13.0
│    ├─ reqwest 0.10.4
│    ├─ try-lock 0.2.2
│    ├─ unicase 2.6.0
│    └─ want 0.3.0
└─── https://patreon.com/retep998
     ├─ kernel32-sys 0.2.2
     ├─ winapi 0.2.8
     ├─ winapi 0.3.8
     ├─ winapi-build 0.1.1
     ├─ winapi-i686-pc-windows-gnu 0.4.0
     ├─ winapi-x86_64-pc-windows-gnu 0.4.0
     └─ ws2_32-sys 0.2.1

Note that a Github personal access token is currently required; see the README for details on setting one up. In a future release, I hope to set up an OAuth authentication flow to make this less painful, but Github's OAuth implementation is rather unfriendly for CLI apps.

I hope cargo-fund makes it easier for individual Rustaceans to support the libraries they depend on. I also hope that corporate Rust users in particular can use this information to build support within their organizations for sponsoring open-source dependencies. Please let me know if you have suggestions for how the tool can help you be a more effective advocate (additional sources of sponsorship data? more useful output formats?).


Now that cargo-fund is released, I'm going to be looking through the repos of a number of the top crates on crates.io, and opening PRs if they mention fundraising in their docs, but don't have a .github/FUNDING.yml file. This is a relatively new mechanism from Github, so I hope the number of visible sponsorships will grow :crab: :heart: :crab:

27 Likes

This is great!

Here is the output from our codebase, 10% of the crates we were using had sponsorship links, which is good, but wasn't from that many different creators (yet).

repo (found funding links for 52 out of 510 dependencies)
├─┬─ https://paypal.me/imperioland
│ ├─ https://github.com/sponsors/GuillaumeGomez
│ └─ https://patreon.com/GuillaumeGomez
│    └─ c_vec 1.3.3
├─┬─ https://sentry.io/
│ └─ https://sentry.io/pricing/
│    ├─ debugid 0.4.0
│    ├─ sentry 0.17.0
│    └─ sentry-types 0.11.0
├─┬─ https://www.buymeacoffee.com/dannyguo
│ ├─ https://www.paypal.me/DannyGuo
│ └─ https://ko-fi.com/dannyguo
│    ├─ strsim 0.8.0
│    └─ strsim 0.9.3
├─┬─ https://www.paypal.me/nabijaczleweli
│ └─ https://patreon.com/nabijaczleweli
│    └─ embed-resource 1.3.3
├─┬─ https://www.paypal.me/nvzqz
│ ├─ https://github.com/sponsors/nvzqz
│ └─ https://patreon.com/nvzqz
│    └─ static_assertions 1.1.0
├─┬─ https://github.com/sponsors/GuillaumeGomez
│ └─ https://patreon.com/GuillaumeGomez
│    └─ doc-comment 0.3.3
├─── https://github.com/sponsors/XAMPPRocky
│    └─ remove_dir_all 0.5.2
├─── https://github.com/sponsors/dtolnay
│    ├─ anyhow 1.0.31
│    ├─ async-trait 0.1.31
│    ├─ dtoa 0.4.5
│    ├─ dyn-clone 1.0.1
│    ├─ itoa 0.4.5
│    ├─ proc-macro-hack 0.5.16
│    ├─ proc-macro-nested 0.1.4
│    ├─ quote 0.6.13
│    ├─ quote 1.0.6
│    ├─ ryu 1.0.4
│    ├─ syn 1.0.24
│    ├─ thiserror 1.0.19
│    └─ thiserror-impl 1.0.19
├─── https://github.com/sponsors/seanmonstar
│    ├─ httparse 1.3.4
│    ├─ num_cpus 1.13.0
│    ├─ reqwest 0.10.4
│    ├─ try-lock 0.2.2
│    ├─ unicase 2.6.0
│    └─ want 0.3.0
├─── https://opencollective.com/gtk-rs
│    ├─ atk-sys 0.6.0
│    ├─ cairo-rs 0.4.1
│    ├─ cairo-sys-rs 0.6.0
│    ├─ gdk 0.8.0
│    ├─ gdk-pixbuf 0.4.0
│    ├─ gdk-pixbuf-sys 0.6.0
│    ├─ gdk-sys 0.6.0
│    ├─ gio 0.4.1
│    ├─ gio-sys 0.6.0
│    ├─ glib 0.5.0
│    ├─ glib-sys 0.6.0
│    ├─ gobject-sys 0.6.0
│    ├─ gtk 0.4.1
│    ├─ gtk-sys 0.6.0
│    ├─ pango 0.4.0
│    └─ pango-sys 0.6.0
└─── https://patreon.com/retep998
     ├─ kernel32-sys 0.2.2
     ├─ winapi 0.2.8
     ├─ winapi 0.3.8
     ├─ winapi-build 0.1.1
     ├─ winapi-i686-pc-windows-gnu 0.4.0
     ├─ winapi-x86_64-pc-windows-gnu 0.4.0
     └─ ws2_32-sys 0.2.1

We were sponsoring some of these devs already on our GitHub, Patreon and OpenCollective, but did spot a few we were missing that has now been fixed, so that's good!

Think this will be a super handy tool going forward. Eventually if this gets more popular it would be nice to be able to point to your sponsorship account(s) and color the ones you are sponsoring differently vs the ones you are not (yet) .

2 Likes

First: Good Idea!

Second: I do net get why this project need a github Token or github OAuth. The funding information is available at at well known path in YAML format. Why not use it directly?

Aaa, this really warms my heart. I'm very happy to know that it's already made a difference.

Definitely! This is on my list of things to add.

Thank you!

Unfortunately, the path approach is brittle if a repository doesn't follow the usual branch naming conventions. For example, a project that calls its default branch develop wouldn't have anything at https://github.com/owner/repo/blob/master/.github/funding.yml. Unless there's an alias for the default branch?

Believe me, I really didn't want to have to commit the GraphQL crimes I did in order to make this work...

1 Like

HEAD can be used as an alias for the default branch (I don’t know of any repos that use a non-master branch off the top of my head, but I verified it worked with master at least).

Ah, that's great to know, thank you! I will see how it compares. I'm a little concerned that it might be trouble with larger dependency trees, since it'd be one request per repo and one request per owner, vs the single (monstrous) GraphQL query that is currently run. Maybe it could be a fallback option for when a token is not available, though.

And thanks to the great feedback I've received so far, version 0.2.0 is out:

  • (#5) The program now looks for the Github API token in the CARGO_FUND_GITHUB_API_TOKEN environment variable rather than GITHUB_API_TOKEN in order to better support privilege separation.
  • (#6) Increased timeout on HTTP client operations to 60 seconds.

The potential switch to downloading the funding.yml files directly will require some more investigation.

3 Likes

I’m not sure if this is feasible, however, I have seen cli applications that spin up a short lived web server on localist so that they can use code flows. The response can render I tiny static html page directing users to return to their terminal and such.

1 Like

Definitely! This is the approach I am planning to take when I give OAuth a try. Unfortunately it's not enough alone, I will also have to spin up a web service in order to hang onto the OAuth client secret. The "AppAuth" OAuth flow eliminates the need for the client secret, but alas Github doesn't support that flow.

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.