The usage of weak dependencies pollutes Cargo.lock

[c410-f3r]

Feel free to close if duplicated or if it is a "feature" of Cargo.

Problem

A feature declared with optional weak dependencies will unnecessarily pollute Cargo.lock with all the declared non-activated items as well as their transients, which is crazy.

Take for example the rust_decimal crate. If declared as rust_decimal = { default-features = false, version = "1.0" }, then Cargo.lock will contain 5 dependencies but if declared as rust_decimal = { default-features = false, features = ["std"], version = "1.0" }, then Cargo.lock will contain +40 dependencies.

# Cargo.toml (https://github.com/paupino/rust-decimal/blob/master/Cargo.toml#L80)

# ...

std = ["arrayvec/std", "borsh?/std", "bytecheck?/std", "byteorder?/std", "bytes?/std", "rand?/std", "rkyv?/std", "serde?/std", "serde_json?/std"]

# ...

$ cargo tree

rust_decimal v1.27.0
    ├── arrayvec v0.7.2
    └── num-traits v0.2.15
        [build-dependencies]
        └── autocfg v1.1.0

Version

1.65.0

[weihanglo]

Is this kinda a duplicate of #10801?

[c410-f3r]

It is, indeed.

[epage]

@weihanglo I thought #10801 is about lock files including optional features of direct dependencies. Does it also include indirect dependencies?

Note that in this issue, the lock file for

• rust_decimal = { default-features = false, version = "1.0" } contains 5 items
• rust_decimal = { default-features = false, features = ["std"], version = "1.0" } contains 40+ items

The number of lock file entries when std isn't specified I think confirms that #10801 is only about direct dependencies and shows this issue is independent of #10801.

The key part here is weak dependencies. It seems we are resolving the lock file as if none of those weak dependencies were weak.

Re-opening for now so this doesn't get lost track of. If there was something I missed, we can always re-close.

[weihanglo]

#10801 is

• bar depends on foo with feature serialization enabled.
• Feature serialization contains a weak dep feature time?/serde-well-known.
• Indirect optional dep time ended up in the lockfile.

#11426 is

• some_pkg depends on rust_decimal with feature std enabled.
• Feature std contains weak dep features borsh?/std, bytecheck?/std…
• Those indirect optional deps ended up in the lockfile.

I didn't see the difference between them 🤔.

[epage]

Somehow I had missed the weak dependency aspect of the other one. I've re-titled it to call that out. Of course, if there is another angle to that that I missed, let me know and we can fix it :)