326 packages right now when doing a build. Seems large in general, but for a Rust project, not abnormal.

Takes what, maybe 15 seconds to compile on a high-core machine from scratch? Isn't the end of the world.

Worse is the scope to have to review all those things, if you'd like to use it for your main passwords, that'd be my biggest worry. Luckily most are well established already as far as I can tell.

"326 seems large, but not abnormal" was the state of JS in the past as well.

Chance of someone auditing all of them is virtually zero, and in practice no one audits anything, so you are still effectively blindly trusting that none of those 326 got compromised.