发布 Rust 1.96

发布 Rust 1.96
Announcing Rust 1.96

原始链接: https://blog.rust-lang.org/2026/05/28/Rust-1.96.0/

Rust 团队现已发布 1.96.0 版本，可通过 `rustup update stable` 进行更新。主要亮点包括： * **新增范围类型**：新的 `core::range` 类型（例如 `Range` 和 `RangeInclusive`）已稳定。与旧版类型不同，它们实现了 `Copy` 和 `IntoIterator`，从而在结构体中能更灵活地使用。 * **模式匹配宏**：引入了新的 `assert_matches!` 和 `debug_assert_matches!` 宏。与使用 `assert!(matches!(...))` 相比，它们提供了更清晰的诊断错误信息，并且可以从 `core` 或 `std` 中导入。 * **WebAssembly 变更**：链接器不再默认向 WebAssembly 目标传递 `--allow-undefined` 参数。现在，未定义的符号将被视为错误，以帮助更早地发现配置问题。 * **安全修复**：修复了两个与第三方注册中心相关的 Cargo 漏洞（CVE-2026-5223 和 CVE-2026-5222）。请注意，crates.io 用户不受影响。建议用户查阅完整的发布说明以了解更多详情，并欢迎通过 beta 或 nightly 通道测试未来的版本。

The Rust team is happy to announce a new version of Rust, 1.96.0. Rust is a programming language empowering everyone to build reliable and efficient software.

If you have a previous version of Rust installed via rustup, you can get 1.96.0 with:

$ rustup update stable

If you don't have it already, you can get rustup from the appropriate page on our website, and check out the detailed release notes for 1.96.0.

If you'd like to help us out by testing future releases, you might consider updating locally to use the beta channel (rustup default beta) or the nightly channel (rustup default nightly). Please report any bugs you might come across!

it is a footgun to implement both Iterator and Copy on the same type so this has been avoided. RFC3550 proposed a set of replacement range types that implement IntoIterator rather than Iterator, meaning they can also be Copy. The standard library portion of that RFC is now stable, introducing:

core::range::Range
core::range::RangeFrom
core::range::RangeInclusive
Associated iterators

A Rust version in the near future will also add core::range::RangeFull and core::range::RangeTo as re-exports from core::ops (these do not implement Iterator and already implement Copy), and core::range::legacy::* as the new home for the current ranges. Range syntax like 0..1 still produces the legacy types for now, but will be updated to core::range types in a future edition.

With these stabilizations, it is now possible to store slice accessors in Copy types without splitting start and end:

use core::range::Range;

#[derive(Clone, Copy)]
pub struct Span(Range<usize>);

impl Span {
    pub fn of(self, s: &str) -> &str {
        &s[self.0]
    }
}

The new RangeInclusive also makes its fields public, unlike the legacy version which avoided exposing the exhausted iterator state. This isn't a concern with the new type since it must be converted to begin iteration.

Library authors should consider making use of impl RangeBounds in public API, which accepts both legacy and new range types. If a concrete type is needed, prefer using new ranges as this will eventually become the default.

The new macros assert_matches! and debug_assert_matches! check that a value matches a given pattern, panicking with a Debug representation of the value otherwise. These are essentially the same as assert!(matches!(..)) and debug_assert!(matches!(..)), but the printed value improves the possibility of diagnosing the failure.

These new macros have not been added to the standard prelude, because they would collide with popular third-party crates that provide macros with the same name. Instead, they should be manually imported from core or std before use.

use core::assert_matches;


fn get_random_number() -> u32 {


    4
}

fn main() {
    assert_matches!(get_random_number(), 1..=6);
}

WebAssembly targets no longer pass --allow-undefined to the linker which means that undefined symbols when linking are now a linker error instead of being converted to WebAssembly imports from the "env" module. This change prevents modules from linking unless all linking-related symbols are defined to catch bugs earlier and prevent accidental issues with symbol naming or similar.

Undefined linking-related symbols are often indicative of build-time related bugs or misconfiguration. If, however, the old behavior is intended then it can be re-enabled with RUSTFLAGS=-Clink-arg=--allow-undefined or by editing the source code and using #[link(wasm_import_module = "env")] on the block defining the symbol.

previously announced on this blog, and now takes effect in Rust 1.96.

CVE-2026-5223 is a medium severity vulnerability regarding extraction of crate tarballs with symlinks.
CVE-2026-5222 is a low severity vulnerability regarding authentication with normalized URLs.

Users of crates.io are not affected by either vulnerability.

Rust, Cargo, and Clippy.

Thanks!

发布 Rust 1.96 Announcing Rust 1.96

发布 Rust 1.96
Announcing Rust 1.96