Investigate how we could reduce binary size by forbidding duplicated dependencies with `cargo-deny`

[mavilein]

We know that we use certain dependencies in multiple crates in different versions. This probably results in a bigger size of the binaries as a dependency is included multiple times. We want to look into how we could use cargo-deny to enforce that only one version of a dependency is used. One example for this seems to be the use of serde. We require the current versions right now: 1, 1.0, 1.0.90, 1.0.102.

This task is about finding out whether cargo-deny can help us improve this situation by having some centralized rules.

Out of scope: This task is not about automation in CI yet. We will first look at the results of this investigation and then decide what to do next.

[carmenberndt]

Current binary sizes:

13M introspection-engine 16M migration-engine 3.6M prisma-fmt 18M query-engine 16M test-cli

[carmenberndt]

Unused dependencies (by using udeps)

`datamodel v0.1.0 (/Users/carmen/Documents/prisma-engines/libs/datamodel/core)`
└─── dependencies
     └─── "bytecount"
`dml v0.1.0 (/Users/carmen/Documents/prisma-engines/libs/datamodel/connectors/dml)`
└─── dependencies
     └─── "itertools"
`introspection-core v0.1.0 (/Users/carmen/Documents/prisma-engines/introspection-engine/core)`
└─── dev-dependencies
     ├─── "pretty_assertions"
     └─── "test-setup"
`query-engine v0.1.0 (/Users/carmen/Documents/prisma-engines/query-engine/query-engine)`
├─── dependencies
│    └─── "pretty_assertions"
└─── dev-dependencies
     └─── "introspection-core"
`sql-introspection-connector v0.1.0 (/Users/carmen/Documents/prisma-engines/introspection-engine/connectors/sql-introspection-connector)`
└─── dev-dependencies
     ├─── "barrel"
     ├─── "test-macros"
     └─── "test-setup"

[carmenberndt]

Multiple versions with the same crate:

• winapi: 0.2.8 and 0.3.9
• wasi: 0.10.0+wasi-snapshot-preview1 and wasi 0.9.0+wasi-snapshot-preview1
• url: 1.7.2 and 2.2.0
• unicode-xid: 0.1.0 and 0.2.1
• time: 0.1.44 and 0.2.22
• syn: 0.15.44 and 1.0.48
• strsim: 0.8.0 and 0.9.3
• sha2: 0.8.2 and 0.9.2
• quote: 0.6.13 and 1.0.7
• pro-macro2: 0.4.30 and 1.0.24
• pin-project-internal: 0.4.27 and 1.0.1
• pin-project: 0.4.27 and 1.0.1
• percent-encoding: 1.0.1 and 2.1.0
• parking_lot_core: 0.7.2 and 0.8.0
• parking_lot: 0.10.2 and 0.11.0
• opaque-debug: 0.2.3 and 0.3.0
• miow: 0.2.1 and 0.3.5
• md5: 0.6.1 and 0.7.0
• lock-api: 0.3.4 and 0.4.1
• indoc: 0.3.6 and 1.0.3
• idna: 0.1.5 and 0.2.0
• hmac: 0.10.1 and 0.8.1
• hashbrown: 0.6.3 and 0.9.1
• getrandom: 0.1.15 and 0.2.0
• generic-array: 0.12.3 and 0.14.4
• futures: 0.1.30 and 0.3.7
• crypto-mac: 0.10.0 and 0.8.0
• crossbeam-utils: 0.7.2 and 0.8.0
• cloudabi: 0.0.3 and 0.0.1
• cfg-if: 0.1.10 and 1.0.0
• block-buffer: 0.7.3 and 0.9.0
• bigdecimal: 0.1.2 and 0.2.0
• base64: 0.11.0, 0.12.3 and 0.13.0
• autocfg: 0.1.7 and 1.0.1
• ansi-term: 0.11.0 and 0.12.1

However, this tool does not check whether there are multiple versions of e.g. serde installed. It only looks into the lock files.

I've also tried cargo clippy -- -A clippy::all -W clippy::multiple_crate_versions, but this has the same behaviour.

[carmenberndt]

Update: #1411 shows that even if there are no duplicated dependencies, the binary sizes are still as mentioned above.

[carmenberndt]

Other ideas:

• run cargo with opt-level 'z' instead of 3 new binary sizes: 12M introspection-engine (- 1M) 14M migration-engine (-2M) 3.7M prisma-fmt (+ 0.1M) 16M query-engine (-2M) 14M test-cli (- 2M)
• additionally run with lto set to true (Enable Link Time Optimization) new binary sizes: 12M introspection-engine (- 1M) 14M migration-engine (-2M) 3.4M prisma-fmt (- 0.2M) 16M query-engine (-2M) 14M test-cli (- 2M)
• additionally set codegen-units to 1 (Reduce Parallel Code Generation Units) new binary sizes: 9.9M introspection-engine (- 3.1M) 12M migration-engine (-4M) 11k prisma-fmt (- 3.5M) 13M query-engine (-5M) 12M test-cli (- 4M)

[carmenberndt]

Using cargo-bloat to list big crates, quaint takes up lots of space: