Skip to main content


Built a binary with #RustLang using the `cargo auditable build` command. Running `cargo audit bin <binary>` gives me "parse error: Failed to deserialize audit data from JSON: The input JSON specifies a cyclic dependency graph". Question one: does a cyclic dependency graph in the JSON even matter when auditing the binary? Question two: how do I identify the crates participating in the cycle when tracking it down by hand from the extracted JSON is a rabbit hole due to the vast amount of crates?
hm. that sounds like a JSON processing bug in cargo-audit? the dependency graph for "normal" dependencies isn't allowed to have cycles, I think. (with dev-dependencies, cycles are possible, but those don't affect built binaries so shouldn't be included anyway)
@decathorpe I can also imagine dependencies with optional features resulting in a cycle here, but no idea whether that's the case here.
I'm pretty sure you can't even *build* something that doesn't have an acyclic dependency graph? cargo needs to figure out the order in which to build dependencies too, and if there's cycles, that should fail
@decathorpe That's true, but I imagine that the embedded JSON structure might not differentiate between the different features that are enabled in a crate as dependency of one crate versus those enabled as dependency of a different crate. Just a guess though.
@decathorpe Managed to reproduce it by stripping down the workspace crate by crate, it is in fact a dev dependency. Created a minimal reproduction example in a repository and reported the issue.
https://github.com/rustsec/rustsec/issues/1043