For example, the
aes package is marked as vulnerable by some security tools. The
pkcs5 package takes an optional dependency on
pkcs8 takes a dependency on
pkcs1 takes a dependency on
pkcs8, etc. (
rsa is involved too)
Is there a way in the Cargo.toml to ban
aes so that it doesn't end up in Cargo.lock?
If you have a CI setup, you could add a CI step like this one:
grep -q aes Cargo.lock ; test $? -eq 1
There are tools like
cargo-deny for declaring and checking what you don't want.
It may not be possible to remove unused crates from
Cargo.lock, depending on how they get there. The lockfile is designed to support entire workspace on all platforms, not just the current build.
This may help you find what is pulling in the aes crate:
cargo tree -i aes -e features
and you may need to eliminate these dependencies.
This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.