Bug: cargo-deny-advisories does not operate on the right dependency tree

Question

Bug: cargo-deny-advisories does not operate on the right dependency tree

sassman opened this issue 2 months ago · comments

Describe the bug

In a workspace project we depend on sqlx with some feature flags added, and default features disabled. This leads to a situation where some dependencies are present in the Cargo.lock that are actually not there because of the features.

So cargo tree -i sqlx-mysql does not yield anything, which is the expected result. Hence cargo tree sets the baseline for our expectations.

When running cargo deny check advisories -s we do see a different picture, as if it does not consider the feature flags.

To reproduce

You can find an example repo with a README.md that summaries the things here:

https://github.com/sassman/cargo-deny-dep-graph-issue

cargo-deny version

0.12.2

What OS were you running cargo-deny on?

MacOS

Additional context

No response

Sven Kanoldt · Answer 1 · Thu Apr 04 2024 21:17:02 GMT+0800 (China Standard Time)

Seems the issue is already fixed in cargo-deny 0.14.20