Rust’s dependencies are starting to worry me

Summary

Rust Dependencies Scare Me I do not pretend to have more experience or understanding than the top level engineers I often see writing blogs here, but what I am is annoyed. I love rust. It's by far my favorite language, I enjoy the community and the language ergonomics. I've been able to incorporate it into projects in my day job where fit. Rust's dependencies are starting to worry me. For those who don't code in Rust, Rust provides an ecosystem of crates through crates.io, allowing users to helpfully install them with the command cargo add, or by simply adding the requested crate and version to the Cargo.toml file. This paradigm is similar to NPM for nodejs. The Good Cargo is helpful and a huge productivity booster, ensuring I don't have to hunt around and link files myself with something like CMake. This also allows me to swap between architectures and operating systems pretty frequently, mainly my M1 macbook air and my x86 Debian desktop. In general I don't have to think much about package management and gets me right into writing code. The Bad Not thinking about package management careful makes me sloppy. In a recent production project I pulled in dotenv a crate I've seen many other rust developers use. This worked fine for multiple weeks until recently when checking a rust security advisory mentioning that dotenv is unmaintained. Below is a suggested alternative dotenvy. This whole fiasco led me tho think .... do I even need this crate at all? 35 lines later I had the parts of dotenv I needed. Packages become un-mainted in every language and it was my choice to pull in an arguably trivial dependency. So what happens when I have dependencies I do need? So Much Code Tokio is one of rust's most well maintained packages of all time. This was added with axum a webserver by the same folks that sits on top of the tokio (the async runtime). Tokio is legitimately one of the coolest things I've ever gotten to work with, touting itself as a work stealing multithreaded runt...