Rust Dependencies Scare Me
a year ago
- #Dependency Management
- #Rust
- #Software Development
- The author expresses concern about Rust's dependency management, particularly the reliance on crates.io and the potential risks of unmaintained packages.
- A personal experience with the 'dotenv' crate, which was found to be unmaintained, led to questioning the necessity of certain dependencies.
- The author highlights the complexity and size of dependencies in a project, noting that vendored packages resulted in 3.6 million lines of code compared to 11,136 lines without them.
- Concerns are raised about the feasibility of auditing such a large amount of code, especially when personal contributions are minimal (around 1,000 lines).
- The author discusses the trade-offs of adding more to Rust's standard library, considering Rust's goals of performance, safety, and modularity.
- The difficulty of managing dependencies is underscored by examples from companies like Cloudflare and Clickhouse, which also rely on external crates.
- The author questions how to address these dependency management challenges, suggesting a need for better tools or practices.