Workspace crate skipped

[repi]

I ran into an issue when adding cargo-deny to wayland-rs repo in https://github.com/Smithay/wayland-rs/pull/320, cargo-deny didn't find and analyze the license of wayland-cursor. Which, ironically, was the main one I wanted to find due to a GPL-3.0 license in it (https://github.com/Smithay/wayland-rs/issues/319).

The root workspace https://github.com/Smithay/wayland-rs/blob/master/Cargo.toml for that repo looks like this :

[package]
name = "wayland-test"
version = "0.0.1"
publish = false
autotests = false

[dependencies]
wayland-commons = { path = "./wayland-commons" }
wayland-scanner = { path = "./wayland-scanner" }
wayland-client = { path = "./wayland-client", default-features = false }
wayland-server = { path = "./wayland-server", default-features = false }
wayland-protocols = { path = "./wayland-protocols", features = ["client", "server"] }
wayland-sys = { path = "./wayland-sys" }

[workspace]
members = [
    "wayland-sys",
    "wayland-scanner",
    "wayland-client",
    "wayland-server",
    "wayland-protocols",
    "wayland-commons",
    "wayland-cursor",
    "wayland-egl"
]

Note that wayland-cursor is not listed in the [dependencies] section, only the [workspace] section, and was skipped and cargo-deny didn't list its license (nor fail due to it being GPL-3.0).

Could there be a bug in our cargo-deny handling of the root crate, where if it is a package we only use the [dependencies] section and ignore [workspace]? But if there isn't a root package then we use the workspace members? That could explain this as one has to use both in this case to find all the crates in the workspace. But could of course also be some other problem.