Bug: cargo-deny combines features from all workspace crates #792
Description
Describe the bug
I am using cargo-deny to check that a specific feature configuration meets certain license requirements using cargo-deny (great project!). I can use --manifest-path and --exclude-unpublished to only check the crate I want to check but the license check will fail because an unrelated workspace crate enables a feature that includes the problematic licensed crates.
From what I can tell, this is an issue in cargo metadata (issue here) and thus and issue in krates.
My workaround is to create a new crate in a temp dir and add the package I am interested in checking as a local path dependency which works perfect. But, this behavior is not intuitive and not documented in cargo-deny. I think a good fix would be to have this "bug" and the workaround to be documented, probably on the common level in the docs.
To reproduce
- create a workspace
- add three workspace member crates, the second two depend on the first which has a feature that enables an unallowed license dependency
- One workspace crate enables this feature and is
publish = false, the other does not enable this feature and ispublish = true. - run
cargo deny --exclude-unpublished check licensesand the bad license will fail the check - Do
cargo tree --package crate2 -e featuresand see that the problem dep is not included in build
cargo-deny version
0.18.4
What OS were you running cargo-deny on?
Linux
Additional context
No response