Cargo Resolver V2 (different feature sets for build and runtime dependencies) is not supported

[Shnatsel]

Cargo has made it possible to depend on the same version of a given crate with different feature sets, provided that one version is a runtime dependency and another is a build dependency.

The dependency resolution in rust-audit was written prior to that change, and it's possible that auditable-serde collates these two packages.

The deduplication is done on the package ID from cargo-metadata, and we'll need to double-check that this is in fact correct even in the presence of the new Cargo feature resolver:

https://github.com/Shnatsel/rust-audit/blob/d7fa6fff1861799adab41638267e0457b7ba4698/auditable-serde/src/lib.rs#L219

[Shnatsel]

cargo metadata doesn't support Resolver V2: rust-lang/cargo#10718

So unfortunately we're stuck with potentially reporting more dependencies than what actually went into the build if all of the below are true:

1. The same package is used as both build/runtime and development dependency
2. The package has more features enabled when used as a development dependency than when used as a runtime dependency
3. The package's features enabled only when used as a dev dependency pull in additional dependencies not present in the runtime dependency tree

[Shnatsel]

A reproducing test case can be found in this branch: https://github.com/rust-secure-code/cargo-auditable/tree/fix-resolver-v2

rust-lang/rfcs#3553 is required to fix this.

[Shnatsel]

It might be possible to support using the krates crate and using code along these lines:
https://github.com/Shnatsel/krates/blob/9b813f753393dc46053b2852a751f0777918dc57/examples/resolver_v2.rs

Although the status of resolver v2 support in krates is not entirely clear: EmbarkStudios/krates#91