For example, the aes package is marked as vulnerable by some security tools. The pkcs5 package takes an optional dependency on aes. And pkcs8 takes a dependency on pkcs5, and pkcs1 takes a dependency on pkcs8, etc. (rsa is involved too)
Is there a way in the Cargo.toml to ban aes so that it doesn't end up in Cargo.lock?