Support Cargo resolver v2

Cargo has [made it possible to depend on the same version of a given crate with different feature sets](https://doc.rust-lang.org/cargo/reference/resolver.html#feature-resolver-version-2), provided that one version is a runtime dependency and another is a build dependency.

`cargo metadata` [does not support this](https://rust-lang.github.io/rfcs/2957-cargo-features2.html#cargo-metadata). We use it as our data source, so we may sometimes erroneously report certain build-only dependencies as runtime dependencies.

This would be automatically fixed with a better data source, if Cargo emitted SBOM information directly: https://github.com/rust-lang/rfcs/pull/3553

Until then it might be possible to work around the limitations of `cargo metadata` using the `krates` crate: https://github.com/EmbarkStudios/krates/issues/91

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Support Cargo resolver v2 #760

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Support Cargo resolver v2 #760

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions