How to prevent rustls from being included transitively by aws-config

rshossain · June 6, 2025, 2:54pm

I have the following dependency in my Cargo.toml:
aws-config = { version = "1.1.9", default-features = false, optional = true }

When I inspect my Cargo.lock, I see that rustls is pulled in as a transient dependency through this chain:
rustls <- aws-smithy-http-client <- aws-smithy-runtime <- aws-config

Here is an excerpt from Cargo.lock showing aws-smithy-http-client’s dependencies, including multiple rustls crates:

[[package]]
name = "aws-smithy-http-client"
version = "1.0.0"
dependencies = [
    "rustls 0.21.12",
    "rustls 0.23.25",
    "rustls-native-certs 0.8.1",
    ...
]

The issue is that the rustls crate includes test files like handshake-test.1.1 and hello-api.devicecheck.apple.com.bin, which are triggering flags in our SBOM (Software Bill of Materials) scanning tools.

My question is:
How can I configure my dependencies (e.g., aws-config or its transitive crates) to avoid pulling in rustls altogether, so these test-related files don’t end up in my final Cargo.lock?

Would you like me to help you with specific Cargo.toml configurations to exclude rustls?

bjorn3 · June 6, 2025, 2:59pm

aws-smithy-http-client is a dev-dependency of aws-config, which means it will never actually be built. If your SBOM contains it anyway, then whichever tool generated the SBOM is too eager to add dependencies that will never actually be used.

Topic		Replies	Views
Completely disable downstream feature (aws-lc-sys) help	11	548	November 2, 2024
Dependency version conflict help	4	754	December 9, 2020
Why does "default-features=false" not work help	5	243	April 16, 2025
Can't build statically-linked binary with rustls dependency help	1	215	October 17, 2023
Inclusion of a [target.'cfg(foo)'.dependencies] dependency help	3	43	October 16, 2024

How to prevent rustls from being included transitively by aws-config

Related topics