Are 600+ dependencies really necessary?

[MrFaul]

Each one of those 600+ dependencies is a liability.
My personal rule of thumb: if you use a dependency as a one trick pony and vastly underutilize it, it has to go.
This obviously falls flat for security stuff that is vetted to death but how many of those packages are this case.

So I ask you in all earnest, how may of those dependencies can you justify.
And it absolutely does not matter if they're reimports. Indirect imports are even worse.

What you aim to do here is to important for this kind of shenanigans.

[iduartgomez]

So I ask you in all earnest, how may of those dependencies can you justify.
And it absolutely does not matter if they're reimports. Indirect imports are even worse.

We don't have the bandwidth to nitpick things to this point sorry. We know what our main dependencies are for things we directly interact with (they aren't that many) and for the security related areas, but auditing all the dependency tree is something we simply cannot afford at this stage of the project. Is unreasonable at best to expect us to do that and replace our main dependencies just because transitively a crate we depend on is pulling some code in a code path our project is not even touching.

If you are willing to volunteer all help is welcome.

This is something to worry about when the project has 1000x the traction it has now, right now it would be a massive waste of our time. That said there may be some quick gains here try to standarize around some versions etc. but I don't think there is that much low hanging fruit.

[MrFaul]

Is it unreasonable? I don't think so.
Does it eat time? Of course it does.
But by all means, I don't see it as a waste of time.

Also I don't expect this to happen overnight.
As you said, this is a big task.
But it is something that needs to be kept in the back of your minds at all times to not make it worse and eventually collect at least the low hanging fruit along the way.

The "wait until we're bigger mentality, and have presumably more man power" is exactly the way to collect technical debt via the bargain bin.

It works, that is fine for now.
All I want is that you think about that.

[iduartgomez]

I am in favor of trimming dependencies as much as possible, and auditing the ones we have for the release build as much as possible. But I am not going to make a priority of it.

Most dependencies are pulled via some core dependencies which replacing is a non-goal (like our WASM runtime, the async runtime or the crypto related crates). We don't pull stuff for random silly things, if a dependency is there is probably for a good reason.