Rust Dependencies Scare Me

That&#x27;s the main criticism my colleagues have about Rust: a lot of unmaintained crates, and most of the time a lot of dependencies for... (almost) nothing.<p>It seems most of Rust developers adopt the pov of web front-end developers since a few years: depend on a lot of libraries for small things, never update your project to 1.0, and abandon &quot;quickly&quot; to build something new... and redo it again.<p>I really hope that alternatives like Zig or Jai will not let the community do like what they did with Rust.

Probably hard to do during nine-to-five, but personally commit to being a contributor on every dependency used.<p>Like having mini contracts with every package, even if it&#x27;s just to reproduce bugs, maintain a personal test suite, or to steer newcomers to resources.<p>Otherwise, we will always be in the dark about our dependencies, building our flying castles. (They float, but where&#x27;s the foundation?)<p>Alternatively, there are open-source code scanners and bill-of-material security tools. Those could be added as triggered workflows in your projects, to run on each pull request.<p>As well, the author did rewrite dotenv&#x27;s core features to replace it.

IME unmaintained Rust packages usually aren&#x27;t an issue, because Rust&#x27;s backwards-compatibility is really good. Only if there&#x27;s an unidiomatic design or bug in the part that you use, or a security vulnerability.<p>Rust dependency bloat may be an issue, but with good static analysis maybe not (the compiler can effectively remove dead code unlike JavaScript, and the IDE may be able to effectively filter it).

&gt; Many call for adding more to the rust standard library much like Go<p>&gt; So now I pose the question to you what do we do?<p>1. Port your application to the language&#x2F;tool that fits your needs like Go.<p>2. Hope that a language like Zig decides to feature a standard library as good as Go.