Skip to main content
Built a binary with #RustLang using the `cargo auditable build` command. Running `cargo audit bin <binary>` gives me "parse error: Failed to deserialize audit data from JSON: The input JSON specifies a cyclic dependency graph". Question one: does a cyclic dependency graph in the JSON even matter when auditing the binary? Question two: how do I identify the crates participating in the cycle when tracking it down by hand from the extracted JSON is a rabbit hole due to the vast amount of crates?
#rustlang
Fabio Valentini
Fabio Valentini  
hm. that sounds like a JSON processing bug in cargo-audit? the dependency graph for "normal" dependencies isn't allowed to have cycles, I think. (with dev-dependencies, cycles are possible, but those don't affect built binaries so shouldn't be included anyway)
silwol
silwol  
@decathorpe I can also imagine dependencies with optional features resulting in a cycle here, but no idea whether that's the case here.
@Fabio Valentini
Fabio Valentini
Fabio Valentini  
I'm pretty sure you can't even *build* something that doesn't have an acyclic dependency graph? cargo needs to figure out the order in which to build dependencies too, and if there's cycles, that should fail
silwol
silwol  
@decathorpe That's true, but I imagine that the embedded JSON structure might not differentiate between the different features that are enabled in a crate as dependency of one crate versus those enabled as dependency of a different crate. Just a guess though.
@Fabio Valentini
silwol
silwol  
@decathorpe Managed to reproduce it by stripping down the workspace crate by crate, it is in fact a dev dependency. Created a minimal reproduction example in a repository and reported the issue.
https://github.com/rustsec/rustsec/issues/1043

Cyclic dependency graph error for dev-dependency · Issue #1043 · rustsec/rustsec

Having two projects (for example a and b) in the dependency tree can trigger this error when running cargo audit bin : error: parse error: Failed to deserialize audit data from JSON: The in...
GitHub
@Fabio Valentini