Egregoros · Phoenix Framework

Post

Remote status

Context

feld

Rust projects have almost as many random library dependencies getting pulled in as Nodejs, it's sickening really. The wider that net is cast the easier supply chain attacks are going to be.

Meanwhile the simplest dependency graph for a moderately complex project is probably Python because of it's Batteries Included approach

Elixir is pretty sensible too actually

Replying to @feld@friedcheese.us

Phantasm

@phnt@fluffytail.org remote

@feld I think the best example of Rust dependency bloat is mise, a fancy Rust rewrite of asdf. asdf with it's statically linked go binary is ~5MB. Mise is 60MB.

Look at this: https://crates.io/crates/mise/2026.3.6/dependencies Why does it depend on tokio for async IO, why does it even need async IO.

Replies

Replying to @phnt@fluffytail.org

lain

@lain@lain.com remote

@phnt @feld mise is much nicer than asdf though

Replying to @lain@lain.com

Blurry Moon

@sun@shitposter.world remote

@lain @phnt @feld it even uses asdf plugins too I thin

Replying to @sun@shitposter.world

Phantasm

@phnt@fluffytail.org remote

@sun @feld @lain It can, but the whole point of the rewrite was so that it doesn't need to depend on literally untrusted shell code from outside the project. It prioritizes it's own things.