Optional features are enabled even when not activated

[fstephany]

Bug Description

Optional features are unexpectedly activated

Minimal Reproduction

1. Create empty project

$ cargo new deps-test
$ cd deps-test
$ cargo add sqlx

2. Specify the features in the dependencies section:

[dependencies]
sqlx = { version = "0.7.3", default-features = false, features = [
    "runtime-tokio-rustls",
    "postgres"
] }

All is good, the Cargo.lock does not include unnecessary clutter (even though sqlx-macrosis already there):

[[package]]
name = "sqlx"
version = "0.7.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dba03c279da73694ef99763320dea58b51095dfe87d001b1d4b5fe78ba8763cf"
dependencies = [
 "sqlx-core",
 "sqlx-macros",
 "sqlx-postgres",
]

3. Add the uuid feature:

[dependencies]
sqlx = { version = "0.7.3", default-features = false, features = [
    "runtime-tokio-rustls",
    "postgres",
    "uuid"
] }

Check the Cargo.lock again. There are now sqlite and mysql listed while they were not expected?

[[package]]
name = "sqlx"
version = "0.7.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dba03c279da73694ef99763320dea58b51095dfe87d001b1d4b5fe78ba8763cf"
dependencies = [
 "sqlx-core",
 "sqlx-macros",
 "sqlx-mysql",
 "sqlx-postgres",
 "sqlx-sqlite",
]

Info

• SQLx version: 0.7.3
• SQLx features enabled: See example
• Database server and version: Postgres
• Operating system: Fedora 39
• rustc --version: 1.74.0

[truehumandesign]

Got the same problem here.
cargo-audit fails with this even if explicitly don't use the sqlx-mysql feature

Crate:     rsa
Version:   0.9.5
Title:     Marvin Attack: potential key recovery through timing sidechannels
Date:      2023-11-22
ID:        RUSTSEC-2023-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0071
Severity:  7.4 (high)
Solution:  No fixed upgrade is available!
Dependency tree:
rsa 0.9.5
└── sqlx-mysql 0.7.3
    └── sqlx-macros-core 0.7.3
        └── sqlx-macros 0.7.3

[dependencies]
sqlx = { version = "0.7.3", default-features = false, features = [
    "runtime-tokio",
    "postgres",
    "chrono",
    "json",
] }

[abonander]

This may be a Cargo bug, or a misinterpretation of the Cargo.lock because we use the new ? syntax when forwarding features to the macros and driver crates: https://doc.rust-lang.org/cargo/reference/features.html#dependency-features

• sqlx/uuid: https://github.com/launchbadge/sqlx/blob/main/Cargo.toml#L112
• sqlx-macros/uuid: https://github.com/launchbadge/sqlx/blob/main/sqlx-macros/Cargo.toml#L39
• sqlx-macros-core/uuid: https://github.com/launchbadge/sqlx/blob/main/sqlx-macros-core/Cargo.toml#L38

[lmaotrigine]

This seems to be a Cargo.lock "quirk", so to speak. I am unsure if this is intended, but I can verify that doing a cargo tree doesn't include the additional crates. They also aren't fetched or compiled during builds. Why they end up in the lockfile, though, I'm not sure. It does seem weird that it only happens when enabling certain features like time, chrono, or uuid and not otherwise.

[abonander]

Regardless, this doesn't sound like a SQLx issue so I think I'm going to close.

I'd recommend opening one upstream.

[fstephany]

Yep, you are right it's probably not SQLx related.
Thanks all for having a look 👍

[truehumandesign]

Also Thanks from my side!  👍

[lmaotrigine]

for posterity, this seems to be rust-lang/cargo#10801, and this bug has impacted sqlx before. leaving this comment so that people know where to look when they happen upon this issue.