zola needs too many dependencies (398), some of them in multiple versions (24), one has a deprecation warning

[winspool]

Enhancement request

Disclaimer: Using "rustc" / "cargo" for the first time.

I found a blog with a reference to zola, and decided to build it.

A huge amount of dependencies where downloaded and build in 7min 39sec,
followed by a big deprecation warning:

Finished `release` profile [optimized] target(s) in 7m 39s
warning: the following packages contain code that will be rejected by a future version of Rust: quick-xml v0.17.2
note: to see what the problems were, use the option `--future-incompat-report`, or run `cargo report future-incompatibilities --id 1`

I learned (with ps -ax during the build), that "$HOME/.cargo/registry/" is used as build dir,
so i looked there:

From inspecting the directory names, zola depends on a lot of projects (398),
and some of them (24) are included multiple times in different versions:

$ ls -1 | grep ".*-" | rev | cut -d "-" -f2- | rev |  tee _packages_no_ver.txt | wc -l
398

$ ls -1 |  grep ".*-" |  rev | cut -d "-" -f2- | rev | sort -u | tee _packages_no_dupes.txt
 |  wc -l
374

$ diff -u _packages_no_ver.txt   _packages_no_dupes.txt | grep -v " "
-ahash
-aho-corasick
-base64
-bitflags
-block-buffer
-bytes
-cfg-if
-digest
-generic-array
-getrandom
-hashbrown
-hashbrown
-itertools
-mio
-phf
-phf_codegen
-phf_generator
-phf_shared
-quick-xml
-rand
-rand_chacha
-rand_core
-syn
-toml

So 24 packages are downloaded and build multiple times.
The winner is "hashbrown", which is present in 3 versions.

The final executable has no symbols and there is no debug file nearby,
so I have no Idea,
if the duplicate packages are filtered out during linking,
or if they are included in the resulting huge 37MB program multiple times.

$ size zola
   text	   data	    bss	    dec	    hex	filename
26232962	12023984	  21432	38278378	24814ea	zola

Environment

Zola version: git 6d4b110

I found two rustc versions on my system, but i don't know, which was used.
rustc 1.75.0 (82e1608df 2023-12-21) (built from a source tarball)
rustc 1.80.1 (3f5fd8dd4 2024-08-06) (built from a source tarball)

I have only one cargo version installed:
cargo 1.80.1 (376290515 2024-07-16)

Expected Behavior

rust claims:
A language empowering everyone to build reliable and efficient software

Including dependencies in multiple versions in a project is not efficient.

Current Behavior

zola was not used yet, it's just about building enhancements

• Avoid to depend on multiple versions of a package
• Avoid outdated packages

Step to reproduce

Just build and see the deprecation warning and the duplicate packages.
$HOME/.cargo/registry/src/index.crates.io-6f17d22bba15001f

[winspool]

In the meantime, i found the dependency tree for the old "quick-xml v0.17" with cargo tree:

zola v0.19.2 (.../zola)
├── console v0.1.0 (.../zola/components/console)
│   ├── errors v0.1.0 (.../zola/components/errors)
│   │   └── anyhow v1.0.89
│   └── libs v0.1.0 (.../zola/components/libs)

│       ├── quickxml_to_serde v0.6.0
│       │   ├── minidom v0.12.0
│       │   │   └── quick-xml v0.17.2

I didn't look at the other packages, where 'zola' depends on multiple versions.

[Keats]

There is #2452 for that specific dependency issue

As for the other duplicate dependencies, not much we can do except bumping the deps regularly. I did do some PRs to various crates to update things but it's too much work tbh, and the maintainers are not necessarily active