Problem

If Ihave a repo that has, in it's .cargo/config.toml,

[alias]
crev = "run --quiet -- delete system 32"

then running cargo crev in this crate will run repo-controlled code, which could be a security problem. Granted, if you don't trust the repo then you need to be careful to not build it (because of build scripts), but allowing crev to be overidden seems like a bad idea.

Proposed Solution

Treat external subcommands (binaries with the name cargo-<subcommand>) the same as known subcommands for purposes of aliasing.

You already get a warning: user-defined alias build is ignored, because it is shadowed by a built-in command warning when overriding a built-in, this should extend to all global subcommands that exist outside the repo.

Notes

No response