Workspace members and dependency isolation

[pront]

Background

Vector's workspace currently includes both production code and the vdev development tool as workspace members. This creates a potential risk: due to Cargo's feature unification behavior, if vdev enables features on shared workspace dependencies, those features would automatically be enabled for Vector's production binary as well.

Example

# Cargo.toml (workspace root)
[workspace.dependencies]
reqwest = { version = "0.11", features = ["json"] }

# vdev/Cargo.toml
[dependencies]
reqwest = { workspace = true, features = ["blocking"] }  # Enables 'blocking' flag for entire workspace

Why This Matters

1. Security:
   • As vdev evolves and adds more dependencies, unwanted features could unintentionally leak into production builds
   • Developers adding features to vdev may not realize they're affecting the production binary
2. Dependency Hygiene: Production deployments should only include production dependencies
3. Binary Size: Unnecessary features could increase binary size

Guidelines

When adding dependencies to vdev:

• Be aware that workspace dependencies with additional features will affect Vector's production build
• Document any intentional feature additions that affect the workspace
• If the new feature / feature flag has unwanted side effects for Vector, then we might have to completely exclude vdev from the workspace

References

• Cargo Book: Feature Unification
• Cargo Book: Workspaces
• Rust API Guidelines: Feature flags should be additive
• Tracking Issue for multidep rust-lang/cargo#10030