Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There seems to be over-reporting for Cargo dependencies #9717

Open
sschuberth opened this issue Jan 9, 2025 · 1 comment
Open

There seems to be over-reporting for Cargo dependencies #9717

sschuberth opened this issue Jan 9, 2025 · 1 comment

Comments

@sschuberth
Copy link
Member

The more I look at this, the more skeptical I become that ORT is even doing the correct thing for normal crates today. Having modified the http-body crate to not use a virtual workspace, ORT remains very insistent that addr2line is a dependency, and puts it in a NOTICE_DEFAULT file when creating a report.

addr2line shows up in the output of cargo metadata, but isn't present in cargo tree for either crate. From manually parsing the output of cargo metadata it appears that the theoretical dependency chain is

http-body-util
    has a dev-dependency on
tokio
    has a dependency on
backtrace
    has a dependency on
addr2line

BUT tokio's only reference to backtrace is as an optional dependency as part of an unstable feature which is not enabled by http-body-util.

This means ORT is listing sub-dependencies which are demonstrably not actually included by cargo build.

Originally posted by @rtzoeller in #8874
@sschuberth sschuberth mentioned this issue Jan 9, 2025
Closed
@sschuberth
Copy link
Member Author

There's a bunch of filtering going on in here which we might need to apply as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sschuberth