How to prevent rustls from being included transitively by aws-config
โ rust ๐ 2025-06-06 ๐ค surdeus ๐๏ธ 5
Info
I have the following dependency in my Cargo.toml:
aws-config = { version = "1.1.9", default-features = false, optional = true }
When I inspect my Cargo.lock, I see that rustls is pulled in as a transient dependency through this chain:
rustls <- aws-smithy-http-client <- aws-smithy-runtime <- aws-config
Here is an excerpt from Cargo.lock showing aws-smithy-http-clientโs dependencies, including multiple rustls crates:
[[package]]
name = "aws-smithy-http-client"
version = "1.0.0"
dependencies = [
"rustls 0.21.12",
"rustls 0.23.25",
"rustls-native-certs 0.8.1",
...
]
The issue is that the rustls crate includes test files like handshake-test.1.1 and hello-api.devicecheck.apple.com.bin, which are triggering flags in our SBOM (Software Bill of Materials) scanning tools.
My question is:
How can I configure my dependencies (e.g., aws-config or its transitive crates) to avoid pulling in rustls altogether, so these test-related files donโt end up in my final Cargo.lock?
Would you like me to help you with specific Cargo.toml configurations to exclude rustls?
2 posts - 2 participants
๐ท๏ธ rust_feed