cargo-dephell 0.1.0

Analyzes a project's third-party dependencies.
cargo-dephell-0.1.0 is not a library.

Cargo dephell

cargo dephell

Cargo dephell is a tool to analyze the third-party dependencies imported by a rust crate or rust workspace. It makes use of guppy to parse dependencies, geiger to find unsafe code and loc to count the number of lines of code. Cargo dephell is heavily biased towards the libra codebase (where we have a workspace, we don't have internal crates that are not listed in the workspace, we don't care about the rust edition of dependencies too much, etc.)

Usage

Make sure you've built your crate or workspace first.

Just run the program on the relevant Cargo.toml and output the result to an HTML file:

cargo run -- --manifest-path ./Cargo.toml --o analysis_results.html

Note that you might need a personnal access token to query the Github API. You can get one easily by following these steps:

Go to your github Settings:

github settings

Go to the Developer settings:

github dev settings

Go to the Personall Access Token page and click on the Generate new token button:

github personal access token

Once there, just:

  • give it a name
  • don't check any boxes
  • generate the token

once you have it, pass it as:

cargo run -- --manifest-path ./Cargo.toml -o analysis_results.html -g <username>:<token>

so for example:

cargo run -- --manifest-path ./Cargo.toml -o analysis_results.html -g mimoo:3902jfoiewjf130fjeowijfw

Limitations

Keep in mind that this is a best-effort way to assess third party dependencies, this is for a number of reasons that we document here:

  • The transitives dependencies imported by a dependency are not feature-dependent, which is deceiving to say the least (this should be fixed soon).
  • The lines of code metric is not accurate in general as it includes EVERY files of the crate folder.
  • The lines of rust code metric is not accurate in general because it includes EVERY .rs files of the crate folder, and for every file it includes every features, tests, etc.
  • If several versions of a dependency are imported, the results are computed on the first dependency we encounter. This is deceiving because versions can change the repository, the lines of code, the dependencies they import, etc.

Roadmap

If you want to help:

  1. Make cargo dephell work.
  2. Add the number of new transitive dependencies added by a dependency. (so that we can say stuff like "without dependency X we could get rid of Y dependencies").
  3. Check if the code on the given repository is the same as the code uploaded on crates.io
  4. Display the date of the last commit, or last version released, of a dependency.
  5. Add an AUDIT.toml file to track who has audited what SHA-1 commit of which repository.
  6. Add feature-sensisite support (blocked on guppy at the moment). Furthermore it would be great if we can dynamically enable and disable features in the HTML output.
  7. Display the dependency graph with dot (and d3).