Open
Description
openedon Aug 6, 2024
Cargo has made it possible to depend on the same version of a given crate with different feature sets, provided that one version is a runtime dependency and another is a build dependency.
cargo metadata
does not support this. We use it as our data source, so we may sometimes erroneously report certain build-only dependencies as runtime dependencies.
This would be automatically fixed with a better data source, if Cargo emitted SBOM information directly: rust-lang/rfcs#3553
Until then it might be possible to work around the limitations of cargo metadata
using the krates
crate: EmbarkStudios/krates#91
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Metadata
Assignees
Labels
New feature or requestNew feature or request