Rust Dependencies scare Me

I do not pretend to have more experience or understanding than the top level engineers I often see writing blogs here, but what I am is annoyed. I love rust. It’s by far my favorite language, I enjoy the community and the language ergonomics. I’ve been able to incorporate it into projects in my day job where fit.

Rust’s dependencies are starting to worry me. For those who don’t code in Rust, Rust provides an ecosystem of crates through crates.io, allowing users to helpfully install them with the command cargo add, or by simply adding the requested crate and version to the Cargo.toml file. This paradigm is similar to NPM for nodejs.

The Good

Cargo is helpful and a huge productivity booster, ensuring I don’t have to hunt around and link files myself with something like CMake. This also allows me to swap between architectures and operating systems pretty frequently, mainly my M1 macbook air and my x86 Debian desktop. In general I don’t have to think much about package management and gets me right into writing code.

The Bad

Not thinking about package management careful makes me sloppy. In a recent production project I pulled in dotenv a crate I’ve seen many other rust developers use. This worked fine for multiple weeks until recently when checking a rust security advisory mentioning that dotenv is unmaintained. Below is a suggested alternative dotenvy. This whole fiasco led me tho think …. do I even need this crate at all? 35 lines later I had the parts of dotenv I needed. Packages become un-mainted in every language and it was my choice to pull in an arguably trivial dependency. So what happens when I have dependencies I do need?

So Much Code

Tokio is one of rust’s most well maintained packages of all time. This was added with axum a webserver by the same folks that sits on top of the tokio (the async runtime). Tokio is legitimately one of the coolest things I’ve ever gotten to work with, touting itself as a work stealing multithreaded runtime. Tokio has performed leaps and bounds better than I ever could have hoped.

So with that I chose to add a couple more dependencies that I belived were needed, bringing my total cargo file to these
Axum, Reqwest , ripunzip, serde, serde_json, tokio, tower-http, tracing, and tracing-subscriber

In general I considered the project to be trivial, a webserver that handles requests, unzips files, and has logs

In an attempt to build resilient software I decided to vendor my packages, a cargo feature that downloads all my dependencies so I can host them locally.

Out of curiosity I ran toeki a tool for counting lines of code, and found a staggering 3.6 million lines of rust. Removing the vendored packages reduces this to 11136 lines of rust.

Now I understand that webservers are complex, and a full asyncronous runtime is even more complex. However the entire linux kernel is 27.8 million lines according to this register article

That’s only 7 of my project….

How could I ever audit all of that code?

The code that I personally wrote is only around 1000 lines

What’s the solution?

I have no idea… Many call for adding more to the rust standard library much like Go, however this causes its own set of issues. Rust is positioned as a high performance, safe, and modular language meaning to compete with CPP and C. That means it targets things like embedded devices. Every new thing that gets added to the std library is one more thing for the rust team to have to manage and work on. Just Tokio itself has one of the most active Github and programming discords Ive seen.

I can’t rewrite the world, an async runtime and web server are just too difficult and take to long for me to justify writing for a project like this (although I should eventually just for a better understanding).

With a question I’ve asked during an interview at cloudflare I was told that cloudflare just leverages tokio like everyone else and pulls from crates.io. How often do they audit that code?

Clickhouse has mentioned problems with binary sizes and I doubt they even have the same amount of crates.

With cargo there is no easy way (as far as I can tell) to see what lines ACTUALLY get compiled into the final binary, many crates include items for windows which I don’t necessarily need (but there’s no official way to tell cargo that).

So now I pose the question to you what do we do?

Hiring for a rust role? consider me 🙂

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!