Skip to content

Security: Redis crate compiled unconditionally, increasing attack surface #100

Description

@mantono

Description

In Cargo.toml, the redis crate is listed as an unconditional dependency, but it is only used behind #[cfg(feature = "redis")] in the source code. The [features] section defines redis = [] (empty), meaning the feature flag never activates the dependency, yet the crate is always compiled and linked.

This unnecessarily increases the attack surface and binary size for all builds, even when Redis is not used.

Severity

Low

Suggested Fix

Make the dependency optional and wire the feature flag to activate it.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions