Notable dependencies — which dependencies-of-dependencies you'd like to be aware of?

Currently, crates.io and crates.rs list only direct dependencies of each crate, but not the full list of dependencies-of-dependencies, so you don't actually see everything that a crate pulls in.

I'd like to improve it by also showing a few "notable" dependencies-of-dependencies. The full tree would be too big and too noisy to be helpful at the first glance, so I'd like to filter it down to only interesting subdependencies out of that tree and show them alongside direct dependencies.

Which dependencies should be shown?

I'm assuming that there are some dependencies that you may want to be warned about, e.g. maybe they're too heavy, not supported on your platform, or require 3rd party tools or libraries that you don't have installed.

For example, I'd highlight when a crate ends up unconditionally depending on bindgen (likely via some -sys crate), because that's a fairly heavy compile-time dependency and I don't always want to install llvm. It's not meant to say a dependency is "bad", but help make a decision whether crate's dependencies are suitable and avoid surprises.

Are there crates you'd like to nominate?

3 Likes

restrictive/incompatible licenses might be something people want to be notified of
(came up in Any code that I produce using Rust, is it subject to copyright? - #17 by azriel91)

1 Like

Good point, I'll add that to the license section.

winapi and other OS specific crates which are not covered by proper cfgs.

As pointed out in the other thread, it's not just a matter of GPL, but given the technicalities of Rust linkage, LGPL is also something you probably don't want in the Rust dependencies your app unless you are distributing the full source code for the app (even if you are OK with LGPL C dependencies).

Fun times in the light of item 10 in the Open Source Definition ("License Must Be Technology-Neutral").

It would probably be a good idea to highlight licenses that aren't MPL 2.0, Apache 2.0, MIT, 3-clause BSD or 2-clause BSD.

3 Likes