Bug: unused workspace dependency false positive when `[graph] exclude` is used

[eric-seppanen]

Describe the bug

I exclude a few crates from cargo-deny analysis, to selectively allow crates with problematic dependencies in non-production tools.

However, when I enable unused-workspace-dependencies detection, I find that each excluded crate is incorrectly reported as an unused workspace dependency.

To reproduce

I created a minimal workspace:

[workspace]
resolver = "3"
members = ["test1"]

[workspace.dependencies]
anyhow = "1.0.98"

[package]
name = "test1"
version = "0.1.0"
edition = "2024"

[dependencies]
anyhow.workspace = true

I then created a default deny.toml with cargo deny init and made two additions:

[graph]
exclude = [
  "anyhow"
]

[bans.workspace-dependencies]
unused = "deny"

Now, cargo deny check bans reports:

error[unused-workspace-dependency]: workspace dependency is declared, but unused
  ┌─ .../Cargo.toml:6:1
  │
6 │ anyhow = "1.0.98"
  │ ━━━━━━ unused workspace dependency

bans FAILED

cargo-deny version

cargo-deny 0.18.2

What OS were you running cargo-deny on?

Linux

Additional context

No response