What's wrong with micro dependencies? Isn't it better to download only the code you need? Also it makes refactoring easier, and enforces better architecture.

Larger attack surface - you just need one of those N dependencies to fall for a spear phishing attack and you're cooked. Larger N is necessarily worse.

It depends on the software being written, but if it's a product your business sells or otherwise has an essential dependency on, then the best model available right now is vendoring dependencies.

You still get all the benefits of standing on top of libraries and frameworks of choice, but you've introduced a single point of entry for externally authored code - there are many ways you can leverage that to good effect (vuln scans, licence audits, adding patch overlays etc etc) and you improved the developer experience - when they check out the code, ALL of the code to build and run the project is already present, no separate npm install step.

You can take this model quite a bit further and buy some really useful capabilities for a development team, like dependency upgrades because they're a very deliberate thing now, you can treat them like any other PR to your code base - you can review the changes of each upgrade easily.

There's challenges too - maybe your npm dep builds a native binary as part of it, you now need to provide that build infra / tooling, and very likely you also want robust build artifact and test caching to save wasting lots of time.

Dependency management is work. And almost nobody does this work seriously because it has become unrealistic to do, which is the big concern here.

You now have to audit the hundreds of dependencies. Each time you upgrade them.

Rust is compiled and source code doesn't weigh that much, you could have the compiler remove dead code.

And sometimes it's just better to review and then copy paste small utility functions once.

> Rust is compiled and source code doesn't weigh that much, you could have the compiler remove dead code.

I get the impression that one driver to make microdependencies in rust is that code does weigh a lot because the rust compiler is so slow.

For a language with a focus on safety, it's a pretty bad choice

Is this bait? The whole context is malicious software being installed en masse via NPM micro dependencies.

They should just be part of the stdlib of the language.

Rust has a really big and comprehensive stdlib, especially compared to languages like C or JavaScript. It just decided that certain things won't be solved in the standard lib because there is no obviously-right solution and evolving towards a good solution is much easier in packages than in the stdlib, because the stdlib isn't versioned.

Some of the gaps feel huge, like no random, no time/date handling, and no async runtime. But but for most of them there are canonical packages that 95% of the ecosystem uses, with a huge amount of eyeballs on them. And sometimes a better solution does emerge, like jiff slowly replacing chrono and time for time/date handling.

Obviously this isn't the best solution from a security perspective. There would be less potential for supply chain attacks if everything was in the standard library. But that has to be weighed against the long-term usability of the language

No, I'd much rather a trusted source, like the language developers themselves, provide as much as possible.

And those last two points have absolutely nothing to do with micro dependencies one way or the other.