Could we do this without compiling cargo as a dependency?

[gilescope]

Cargo's not the lightest dependency and with it's dependency on openssl it's tricky to build. I know this is a tall order but I'm just wondering if we could shell out to cargo and get it to tell us some of the information without needing to link it in?

I'd totally accept this is in the 'hard' category.

[gilescope]

Prior art: cargo install cargo-deps
That manages to figure out the dependencies without linking to cargo.

[ChrisGreenaway]

I don't have a problem with cargo as a dependency other than its dependence on the additional build tools that have to be installed because of OpenSSL.

I prefer using the cargo API rather than interacting via a shelled out process - it's more robust.

If you wanted to make a PR so that our usage of cargo used rustls, thus getting rid of the OpenSSL dependency, that would be interesting.

[ChrisGreenaway]

How does the cargo-deps project handle this?

[gilescope]

Hmm not sure cargo-deps takes an official route. I think it manually parses the lock file. I know there's a cargo lock crate one should use if one's going in that direction.
Better yet, https://crates.io/crates/cargo_metadata seems to be the standard way to introspect the output of cargo metadata which seems to have the dependency info in it. I don't know if that's everything that's needed but if so that would dramatically reduce dependencies / build time.

[ChrisGreenaway]

Worth noting that openssl is an optional dependency for cargo.