Tom Fay

> Could you update the CHANGELOG with an entry for this addition? > > Thank you for pinging me with the use case example and for persisting in asking about...

Isn't that a case of cargo being more accurate than cargo metadata? Without a build.rs, a crate can have no build dependencies, regardless of what is declared in Cargo.toml.

> Okay, I think I found an actual bug in Cargo: if I run `cargo +nightly build -Z sbom --release` and then `CARGO_BUILD_SBOM=true cargo +nightly build -Z sbom --release`, the...

The cargo SBOM is correct for that test fixture *if* you build with `-p top_level_crate`. If you don't, then cargo passes all the workspace members over to the feature resolver,...

Hmm... I don't think this is a cargo-auditable or cargo SBOM bug. Perhaps it's a cargo bug relating to workspace feature resolution but it's not a reporting bug. I think...