Open Shnatsel opened 3 months ago
Cargo has made it possible to depend on the same version of a given crate with different feature sets, provided that one version is a runtime dependency and another is a build dependency.
cargo metadata does not support this. We use it as our data source, so we may sometimes erroneously report certain build-only dependencies as runtime dependencies.
cargo metadata
This would be automatically fixed with a better data source, if Cargo emitted SBOM information directly: https://github.com/rust-lang/rfcs/pull/3553
Until then it might be possible to work around the limitations of cargo metadata using the krates crate: https://github.com/EmbarkStudios/krates/issues/91
krates
Cargo has made it possible to depend on the same version of a given crate with different feature sets, provided that one version is a runtime dependency and another is a build dependency.
cargo metadatadoes not support this. We use it as our data source, so we may sometimes erroneously report certain build-only dependencies as runtime dependencies.This would be automatically fixed with a better data source, if Cargo emitted SBOM information directly: https://github.com/rust-lang/rfcs/pull/3553
Until then it might be possible to work around the limitations of
cargo metadatausing thekratescrate: https://github.com/EmbarkStudios/krates/issues/91