Hey why do I see even small projects have over a 100 dependencies it needs to compile? Does rust/cargo suffer from the same problem as npm?

· · Web · 5 · 2 · 4

@DrWhax Could you please give examples, so that we can evaluate it properly.

@DrWhax the general consensus seems to be that this is not considered a problem. using 3rd party packages is easier than in c/c++, so there are fewer giant frameworks and less "everyone reimplements the same stuff over and over again". instead you just have more small packages. also, the standard library is intentionally small in order to reduce the maintenance burden and avoid a future choice keeping technical debt or introducing breaking changes.

@guenther a trusted computing base, how am I supposed to give any guarantees for so many dependencies?

@DrWhax I think the number of dependencies matters much less than their total size: whether you got a hundred 10-line crates or one 1000-line library, it's still 1k LOC to audit.

@DrWhax Rust doesn’t have the problems node / npm does, as far as I can tell. The std crate is much more powerful, so you don’t need crates like isNumber or isEven.

@DrWhax @minoru @guenther @friend @stchris @bugaevc
I think this is a really nuanced topic.

potentially 100 authors you have to trust:
well, do you trust your own code, when you have to reimplement things that some people have probably already thought more carefully about? I wouldn't.

Instead of looking at the number of dependencies, I'd rather look at what *kind* of dependencies are used: are they still maintained, do they have unit tests, are they widely used in other libs etc.


@DrWhax @minoru @guenther @friend @stchris @bugaevc

I think that these metrics are much more important.

In general I lean much more to the "use a lib" and "don't reinvent the wheel" side:

However, if you have very special requirements, it might make sense to not use a lib and implement it yourself.

There is so much more to say - this doesn't fit all in some toots 🐘



Regarding the "rage" crate: I am actually pretty glad that they use these libs, because most of them are crypto-related afaict. A project that deals with cryptography while barely using libs would be very suspicious to me.

@minoru @guenther @friend @stchris @bugaevc

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!