Scott Schafer 10262b6552 fix(vendor): add $comment to .cargo-checksum.json (#16967) ...

### What does this PR try to resolve?

Clarify it only protects against accidental modifications and is not a
security mechanism.

Cargo doesn't set `deny_unknown_fields` on the [`Checksum`] struct, so
older Cargo versions will just silently skip the `$comment` key. No
backward compat issue.
However, if external tools reject unknown fields they may have issues.

Also, this add source diff churn when running `cargo vendor` between
different toolchain versions even when dependencies have no changes.

[`Checksum`]:
https://github.com/rust-lang/cargo/blob/230e325f0b78128d6a005b8fa606b2854f5227db/src/cargo/sources/directory.rs#L68-L79

### How to test and review this PR?

cc https://github.com/rust-lang/cargo/pull/16966

And see [#t-cargo > adding a comment on
`.cargo-checksum.json`](https://rust-lang.zulipchat.com/#narrow/channel/246057-t-cargo/topic/adding.20a.20comment.20on.20.60.2Ecargo-checksum.2Ejson.60/with/593120043)

2026-05-06 18:02:43 +00:00

..

build-std

suppress unused_crate_deps for implicit build-std deps

2026-03-07 00:17:26 +05:30

testsuite

fix(vendor): add $comment to .cargo-checksum.json (#16967)

2026-05-06 18:02:43 +00:00