docs(cargo-yank): clarify yank behavior with leaked credentials

moabo3li · moabo3li · commit 6cc35498d03a · 2025-11-18T19:21:37.000+02:00
diff --git a/src/doc/man/cargo-yank.md b/src/doc/man/cargo-yank.md
@@ -68,9 +68,10 @@ them at <help@crates.io>.
 
 If credentials have been leaked, the recommended course of action is to revoke
 them immediately. Once a crate has been published, it is impossible to determine
-if the leaked credentials have been copied. Yanking the crate only prevents new
-users from downloading it, but cannot stop those who have already downloaded it
-from keeping or even spreading the leaked credentials.
+if the leaked credentials have been copied. Yanking only prevents Cargo from
+selecting this version when resolving dependencies by default. Existing lock
+files or direct downloads are not affected, so yanking cannot stop further
+spreading of the leaked credentials.
 
 [RustSec]: https://rustsec.org/
 [policies]: https://crates.io/policies
