Sick of "many dependencies" framing

Sick of "many dependencies" framing

My lived experience is that you're wrong. You can't examine, realistically, how well maintained the parts of a big dependency that you care about are maintained, because the project as a whole is well-maintained, and the parts you care about may well "look" maintained because someone's doing build fixes and the like - see the HIPPI support in the Linux kernel as an example, which "looked" maintained because it was getting some fixes, but was in fact unmaintained for all practical purposes.

Remember that practically, it's not 5 dependencies of 100 kLOC each versus 100 dependencies of 5 kLOC each, but 5 dependencies of 1,000 kLOC, where you rely on 100 kLOC of the dependency, versus 100 dependencies of 5 kLOC each, where you rely on 4 kLOC of each dependency. It sure is nice that the 90% you don't use is well-documented and well-maintained, but you need to answer the question not for the dependency as a whole, but for the part you use, to have an answer that's meaningful.

Sure, it's great that all the parts shared across platforms are well-maintained, and the Apple iOS using teams make build fixes to the Android build, but if you're using it on Android, you don't want to discover that the Android build is effectively unmaintained, and has critical vulnerabilities that they're going to respond to with "eh, we don't actually care about Android that much - switch to Apple products" when you hit them.