Cargo has made it possible to depend on the same version of a given crate with different feature sets, provided that one version is a runtime dependency and another is a build dependency.
cargo metadata does not support this. We use it as our data source, so we may sometimes erroneously report certain build-only dependencies as runtime dependencies.
This would be automatically fixed with a better data source, if Cargo emitted SBOM information directly: rust-lang/rfcs#3553
Until then it might be possible to work around the limitations of cargo metadata using the krates crate: EmbarkStudios/krates#91
Cargo has made it possible to depend on the same version of a given crate with different feature sets, provided that one version is a runtime dependency and another is a build dependency.
cargo metadatadoes not support this. We use it as our data source, so we may sometimes erroneously report certain build-only dependencies as runtime dependencies.This would be automatically fixed with a better data source, if Cargo emitted SBOM information directly: rust-lang/rfcs#3553
Until then it might be possible to work around the limitations of
cargo metadatausing thekratescrate: EmbarkStudios/krates#91