Closed Nemo157 closed 1 year ago
Do I understand correctly that the transitive dev dependencies are not compiled or even downloaded when compiling the root crate?
If that's the case, I think we should not only support this, but make this the default.
Yes, the dev-dependencies
of published crates are effectively ignored. https://crates.io doesn't even show them anymore in the web UI.
They don't even have to work: you can publish crates whose dev-dependencies
point to things like nonexistent git repos.
I believe I've implemented such filtering for https://github.com/Shnatsel/rust-audit already. I suppose it could be split into a shared crate or some such.
I think it is somewhat useful to see your own dev-dependency supply chain, those publishers are writing code that will run on your machine when testing, and within your CI pipelines; so I'm unsure what the default should be.
I'd surface the dev-dependencies for the toplevel crate(s) and exclude any dev-dependencies that are added transitively.
That already (sort of) happens implicitly, only local workspace crates' dev-dependencies are included in the lockfile. My usecase was grabbing a crate with cargo download
and wanting to inspect its dependency tree in isolation, in that situation even though it's the toplevel crate I don't care about its dev-dependencies.
I also find myself really wanting this feature. As a library developer I primarily care about what dependencies/publishers I'm hoisting onto my users. Dev dependencies still matter, of course, but not nearly as much since far fewer people will be building those.
With that in mind, the results as currently printed by cargo-supply-chain are close to useless for checking my own crates because it's 95% the dependency trees of e.g. proptest, criterion, and similar, which make it impossible to see the actual dependencies/publishers I care about due to the enormous noise.
A suggestion: instead of a flag, it could just print out the dev and non-dev dependencies as two separate lists. That way you can still see everything, but you can also just focus on the pertinent part of it.
If you're looking at someone else's crate to see what it will bring in as part of its supply chain you don't necessarily care about its dev-dependency supply chain. It would be useful to have a flag like
cargo supply-chain publishers --no-dev
to exclude them from the list (and maybe mark normal/build/dev differently somehow in the standard output).