Expose the hidden cost of your Rust dependencies.
Rust's ecosystem encourages adding crates liberally, but nobody shows you the real cost: transitive dependency explosion, compile time impact, dead weight, security exposure. cargo crategeist gives you the full picture in one command.
cargo install crategeistcargo crategeistThat's it. Scans your project and produces a terminal report plus a self-contained HTML file covering four areas:
- Security — audits against the RustSec advisory database with CVSS scores and patched versions
- Compile time — per-crate build time via
cargo buildJSON message parsing (runs a clean build) - Dead deps — regex scan of all
.rsfiles to find dependencies declared but never referenced - Build blockers — critical path through the dependency DAG, plus most depended-on crates
--skip-timing skip compile time measurement (no build triggered)
--skip-security skip security audit (no network needed)
--html <PATH> HTML output path [default: crategeist-report.html]
--manifest-path path to Cargo.toml
-p, --package target specific package(s) in a workspace
Crategeist handles workspaces out of the box. Security and timing run workspace-wide, while unused detection and critical path analysis run per-member.
cargo crategeist # all members
cargo crategeist -p my-crate # one member
cargo crategeist -p foo -p bar # multiple 👻 crategeist report: backend
security
RUSTSEC-2023-0071 rsa v0.9.10 5.9 (medium) Marvin Attack: potential key recovery
compile time
parking_lot_core v0.9.12 7.03s 11.3%
serde v1.0.228 6.89s 11.1%
aws-types v1.3.13 5.08s 8.2%
rustls v0.21.12 5.07s 8.2%
total wall clock: 51.15s | sum of crate times: 61.97s
dead dependencies
x aws-config v1.8.14 — consider removing
x hyper v1.8.1 — consider removing
build blockers
critical path (longest dependency chain):
├─ proc-macro2 v1.0.106 (0.32s)
├─ syn v2.0.117
├─ serde v1.0.228 (6.89s)
├─ rustls v0.23.37 (2.56s)
├─ sqlx v0.8.6
├─ rapina v0.8.0
└─ backend v0.1.0
critical path total: 14.30s
Wall-clock timing is approximate — cargo builds in parallel, so the sum of per-crate times exceeds the actual wall clock. Dead dependency detection can produce false positives for proc macros and build-only deps, since they're used implicitly without appearing in source code.
Stable Rust 1.85+. Network access for the security audit (or pass --skip-security). Requires Cargo.lock to exist.
MIT