| ▲ | xg15 11 hours ago | |||||||
You will have lots of dead code in your build. That dead code might have "dead dependencies" - transitive dependencies of its own, that it pulls in even though they are not actually used in the parts of the crate you care about. In the worst case, you can also have "undead code" - event handlers, hooks, background workers etc that the framework automatically registers and runs and that will do something at runtime, with all the credentials and data access of your application, but that have nothing to do with what you wanted to do. (Looking at you, Spring...) All those things greatly increase the attack surface, I think even more than pulling in single-purpose library. | ||||||||
| ▲ | tardedmeme 11 hours ago | parent [-] | |||||||
Libraries like Guava and Commons don't have transitive dependencies - they are self contained except for other parts of the same library. | ||||||||
| ||||||||