Rust Dependencies Scare Me
a year ago
- #Dependency Management
- #Rust
- #Software Development
- The author expresses concern about Rust's dependency management, particularly the ease of adding crates without considering their necessity or maintenance status.
- A personal experience with the 'dotenv' crate, which was found to be unmaintained, led the author to question the need for certain dependencies and to manually implement required functionality.
- The author highlights the complexity and size of dependencies like Tokio and Axum, which, while powerful and well-maintained, contribute significantly to the project's line count.
- Vendoring dependencies resulted in a project with 3.6 million lines of code, dwarfing the author's own contribution of around 1,000 lines, raising concerns about code auditability.
- The author discusses the trade-offs of adding more to Rust's standard library, noting the language's goals of performance, safety, and modularity, especially for embedded systems.
- Questions are raised about how companies like Cloudflare audit their dependencies and the challenges of managing binary sizes and unnecessary features in crates.
- The author concludes by questioning the current state of Rust's dependency ecosystem and what can be done to improve it, while humorously offering their services for Rust roles.