re-vendored suggestion is incorrect with sparse crates.io

[ehuss]

Problem

The error message for a resolver activation error includes this comment when used with crates.io:

perhaps a crate was updated and forgotten to be re-vendored?

This is not correct. This message should only be displayed when vendoring is enabled. Cargo is getting confused somehow, thinking index.crates.io is a replaced source. This message should only be displayed when vendoring is actually enabled.

Steps

Try to build with:

[dependencies]
regex = "99"

displays:

    Updating crates.io index
error: failed to select a version for the requirement `regex = "^99"`
candidate versions found which didn't match: 1.10.0, 1.9.6, 1.9.5, ...
location searched: crates.io index
required by package `foo v0.1.0 (/Users/eric/Temp/foo)`
perhaps a crate was updated and forgotten to be re-vendored?

Possible Solution(s)

The error message is generated here.

I'm uncertain at this moment why the source seems to be replaced. I vaguely recall having cargo treat index.crates.io as equivalent for the git index, but I forget how that all works.

Notes

No response

Version

cargo 1.75.0-nightly (794d0a825 2023-10-03)
release: 1.75.0-nightly
commit-hash: 794d0a82547f3081044c0aca7b6083733ce51344
commit-date: 2023-10-03
host: aarch64-apple-darwin
libgit2: 1.7.1 (sys:0.18.1 vendored)
libcurl: 8.1.2 (sys:0.4.66+curl-8.3.0 system ssl:(SecureTransport) LibreSSL/3.3.6)
ssl: OpenSSL 1.1.1u  30 May 2023
os: Mac OS 14.0.0 [64-bit]

[Eh2406]

cc @arlosi

[jneem]

I tracked down the cause here: when packages are parsed, they're given the source id "registry+https://github.com/rust-lang/crates.io-index", but if sparse indices are enabled then SourceConfigMap::load changes that to "sparse+https://index.crates.io/", and this means that the final source is indeed a replaced source.

The following patch silences the warning, but I'm not sure it's ideal -- it breaks a bunch of tests because it changes the source in the generated metadata. Another approach would be to special-case ReplacedSource::is_replaced so that replacing the non-sparse crates-io with a sparse crates-io wouldn't count as a replaced source.

diff --git a/src/cargo/util/toml/mod.rs b/src/cargo/util/toml/mod.rs
index 813868ac3..fd954885a 100644
--- a/src/cargo/util/toml/mod.rs
+++ b/src/cargo/util/toml/mod.rs
@@ -2026,7 +2026,7 @@ fn to_dependency_source_id<P: ResolveToPath + Clone>(
             let url = registry_index.into_url()?;
             SourceId::for_registry(&url)
         }
-        (None, None, None, None) => SourceId::crates_io(manifest_ctx.gctx),
+        (None, None, None, None) => SourceId::crates_io_maybe_sparse_http(manifest_ctx.gctx),
     }
 }