Sick of "many dependencies" framing [LWN.net]

Sick of "many dependencies" framing

Posted Feb 11, 2026 10:43 UTC (Wed) by Karellen (subscriber, #67644)
In reply to: Sick of "many dependencies" framing by taladar
Parent article: FOSS in times of war, scarcity, and AI

With five dependencies of 100kLOC each, you can ask "How trustworthy do these projects and their maintainers seem"?

You can look at the histories of the projects. You can see how long the projects have been going, how frequently releases are made. You can see if they just claim to follow semver, or actually do so. And, when they do make a brown paper bag release, what do they do next?

To answer your concerns, you can examine how well maintained 5 dependencies are. You can check the documentation of 5 dependencies - if it's well-written, and updated with every release? You can look at the testing infrastructure and see how the project talks about it in the forums, and see how seriously it's taken.

How do they handle security issues? Do they have a history of responding in a timely manner? Do they fix the issue, rather than trying to hand-wave it away or attacking the reporter? Do they apply security updates to LTS branches? Do they have LTS branches?

You can check the licensing. Are the licenses of these five dependencies compatible with each other, and with what you want to do?

With 5 dependencies, you can look at all of them. You can tell if they're 95% untested cruft that no-one dares touch. It's possible to find answers to all these questions.

Of course, being able to find those answers doesn't guarantee you'll like them. But you *can* know. You can assess the amounts of risk you're exposing yourself to. You can make trade-offs. You can make an informed decision about whether to use one dependency over another.

If you have 100 dependencies of 5kLOC each, I don't see how you can answer those questions in any meaningful way. I think it's more likely you stop really asking them in the first place. Or even stop considering that they are questions it's even possible to answer.

I do not understand how you might think you could have *more* information about the state of 100 codebases, than you could about 5. That just doesn't track for me.

to post comments

Sick of "many dependencies" framing

Posted Feb 11, 2026 11:55 UTC (Wed) by pizza (subscriber, #46) [Link]

>With 5 dependencies, you can look at all of them. You can tell if they're 95% untested cruft that no-one dares touch. It's possible to find answers to all these questions.
>If you have 100 dependencies of 5kLOC each, I don't see how you can answer those questions in any meaningful way.

I think it's important to re-iterate that "number of dependencies" matters far more than "kLOC of code" -- eg the paperwork (not to mention the _actual_ work) that you need for CRA compliance scales linearly based on the former, but not the latter.

Sick of "many dependencies" framing

Posted Feb 11, 2026 15:23 UTC (Wed) by farnz (subscriber, #17727) [Link]

My lived experience is that you're wrong. You can't examine, realistically, how well maintained the parts of a big dependency that you care about are maintained, because the project as a whole is well-maintained, and the parts you care about may well "look" maintained because someone's doing build fixes and the like - see the HIPPI support in the Linux kernel as an example, which "looked" maintained because it was getting some fixes, but was in fact unmaintained for all practical purposes.

Remember that practically, it's not 5 dependencies of 100 kLOC each versus 100 dependencies of 5 kLOC each, but 5 dependencies of 1,000 kLOC, where you rely on 100 kLOC of the dependency, versus 100 dependencies of 5 kLOC each, where you rely on 4 kLOC of each dependency. It sure is nice that the 90% you don't use is well-documented and well-maintained, but you need to answer the question not for the dependency as a whole, but for the part you use, to have an answer that's meaningful.

Sure, it's great that all the parts shared across platforms are well-maintained, and the Apple iOS using teams make build fixes to the Android build, but if you're using it on Android, you don't want to discover that the Android build is effectively unmaintained, and has critical vulnerabilities that they're going to respond to with "eh, we don't actually care about Android that much - switch to Apple products" when you hit them.

Sick of "many dependencies" framing

Posted Feb 11, 2026 15:25 UTC (Wed) by mathstuf (subscriber, #69389) [Link] (1 responses)

Hmm. I think a metric that may matter more (but is far harder to measure) is how widely *used* a given dependency is ("impact"?). GTK2/3 may be *large*, but the ecosystem has largely moved on, so any problems can lay dormant for longer. Large projects are more likely to have a broad base of users. However, small dependencies can also be "as large as needed" and solve their problem well. And if the ecosystem as a whole uses it widely, any problems are *far* more likely to be noticed in a timely manner.

With tools like `crev`[1] and `cargo-vet` (and similar for other ecosystems), this feels like it'd be easier to get a grip on in a measurable way. "Just" need to find even more review time in everyone's schedules…

[1] https://github.com/crev-dev/crev/

Sick of "many dependencies" framing

Posted Mar 11, 2026 9:39 UTC (Wed) by sammythesnake (guest, #17693) [Link]

> And if the ecosystem as a whole uses it widely, any problems are *far* more likely to be noticed in a timely manner.

Open question: how does the scaling of "popularity" -> "quick spotting/fixing of problems" compare too the scaling of "popularity" -> "tasty target for malicious actors"...?

If the tastiness overtakes the benefits of problem spotting/fixing, then there's a net downside. I suspect neither scales neatly. There are probably discontinuities, such as when a specific project takes a dependency on - suddenly a particularly tasty target, or (hopefully) a particularly diligent project comes into scope. My bet would be on the former being the more significant. I also imagine the benefit is a diminishing returns scenario, whereas tastiness scales superlinearly, so the downside probably inevitably overtake the benefits at some point.

Related to that, the *diversity* of the uses matters a lot - if everyone else using it makes similar assumptions, that popularity doesn't imply much for a different use case...

Sick of "many dependencies" framing

Posted Feb 11, 2026 15:31 UTC (Wed) by mb (subscriber, #50428) [Link] (3 responses)

>If you have 100 dependencies of 5kLOC each, I don't see how you can answer those questions in any meaningful way.

https://crates.io/crates/cargo-vet

Sick of "many dependencies" framing

Posted Feb 11, 2026 23:07 UTC (Wed) by Karellen (subscriber, #67644) [Link] (2 responses)

Wouldn't that work just as well for a few large dependencies if, for some reason, you didn't want to do the vetting yourself though?

I still don't see how many small dependencies is an improvement.

Sick of "many dependencies" framing

Posted Feb 12, 2026 2:44 UTC (Thu) by mathstuf (subscriber, #69389) [Link]

I think there's a higher chance that more people will review a small library than anyone will review "Qt" and give it a stamp of approval like this (beyond "it's got a lot of development behind it and Qt Company's track record is pretty good"). At which point, you're back to `cargo-vibes` instead.

Sick of "many dependencies" framing

Posted Feb 12, 2026 9:53 UTC (Thu) by farnz (subscriber, #17727) [Link]

You run into human nature again with the big dependency.

If you're using (say) Qt 7 for a Wayland application running on the Linux kernel, you don't benefit from Qt 7 having thousands of reviews scoped tightly to the Win32 code in Qt; you care about reviews of the Linux/Wayland code, not the Windows code. But the reviewers may well not bother to tell you that their review is scoped to the Win32 code - after all, they're reviewing Qt 7 as they use it, and they're assuming that you know that everyone uses Win32, because that's their life experience.

This puts you at high risk of the "thousands of irrelevant reviews" problem; you see lots of published reviews, and assume that the codebase is well-reviewed. But, in fact, those reviews cover the 80% of the codebase that everyone else uses, and not the 20% that's critical to your project.