Prohibit non-Rust deps with Cargo (or any other tool) for a Rust binary

⚓ Rust 📅 2026-03-08 👤 surdeus 👁️ 2

Info

This post is auto-generated from RSS feed The Rust Programming Language Forum - Latest topics. Source: Prohibit non-Rust deps with Cargo (or any other tool) for a Rust binary

Hi!

I am trying to find a way to prohibit introducing non-Rust dependencies into my Rust project. E.g. if one of my direct or transitive dependencies is a non-Rust, I want to stop compilation process with some error. I am mostly interested in prohibiting C and C++ deps (usually packed as a *-sys package) but prohibiting all non-Rust deps (like D, Zig, etc.) is a final goal.

I didn't find such functionality in Cargo itself. I've also checked cargo-deny but no success too. Maximum what I can do with cargo-deny is maintain my own list of non-Rust deps and "ban" them explicitly. It's not a viable option in my case since at any time new non-Rust dependency can be introduced into my dependency tree mistakenly by me or just by one of my Rust dependency. Maintaining an allowed list of "good" dependencies is also is not an option since it requires a ridiculous amount of efforts. Looking only into a crate name (like *-sys pattern) is not a robust solution since anyone can name a non-Rust package without this suffix.

Why do I want to do it? There are several reasons:

Cybersecurity government recommendations. In some cases, any C or C++ dependency can be considered as an additional vector attack during cybersec evaluation/certification, etc. (remember US CISA articles about non-memory safe languages). I have at least one use case, where it can become a business problem.
Compiler optimizations. When any of my dependencies is non-Rust, I get an additional bunch of problems during applying LTO and PGO, because in this case I need to do cross-lang LTO and cross-lang PGO. it's much more difficult thing to maintain compared to Rust-only LTO and PGO. I want to use all of these optimizations for the whole application, and don't care about cross-lang stuff.

I have several ideas about how it could be implemented like checking the whole cargo tree, finding all build.rs scripts, and banning all things with invoking cc-rs or something like that (btw this way also has its own flaws). But now I am looking for something ready-to-use.

Thank you.

1 post - 1 participant

Read full topic

🏷️ Rust_feed

👍 󠁮󠁮󠁮󠁮 👎 󠁮󠁮󠁮󠁮