search

EmbarkStudios / cargo-deny

❌ Cargo plugin for linting your dependencies 🦀
http://embark.rs
Apache License 2.0
1.62k stars 80 forks source link

Bug: cargo-deny-advisories does not operate on the right dependency tree #645

Closed sassman closed 3 months ago

sassman commented 3 months ago

Describe the bug

In a workspace project we depend on sqlx with some feature flags added, and default features disabled. This leads to a situation where some dependencies are present in the Cargo.lock that are actually not there because of the features.

So cargo tree -i sqlx-mysql does not yield anything, which is the expected result. Hence cargo tree sets the baseline for our expectations.

When running cargo deny check advisories -s we do see a different picture, as if it does not consider the feature flags.

To reproduce

You can find an example repo with a README.md that summaries the things here:

https://github.com/sassman/cargo-deny-dep-graph-issue

cargo-deny version

0.12.2

What OS were you running cargo-deny on?

MacOS

Additional context

No response

sassman commented 3 months ago

Seems the issue is already fixed in cargo-deny 0.14.20