Sick of "many dependencies" framing

Posted Feb 11, 2026 15:25 UTC (Wed) by mathstuf (subscriber, #69389)
In reply to: Sick of "many dependencies" framing by Karellen
Parent article: FOSS in times of war, scarcity, and AI

Hmm. I think a metric that may matter more (but is far harder to measure) is how widely *used* a given dependency is ("impact"?). GTK2/3 may be *large*, but the ecosystem has largely moved on, so any problems can lay dormant for longer. Large projects are more likely to have a broad base of users. However, small dependencies can also be "as large as needed" and solve their problem well. And if the ecosystem as a whole uses it widely, any problems are *far* more likely to be noticed in a timely manner.

With tools like `crev`[1] and `cargo-vet` (and similar for other ecosystems), this feels like it'd be easier to get a grip on in a measurable way. "Just" need to find even more review time in everyone's schedules…

[1] https://github.com/crev-dev/crev/

to post comments

Sick of "many dependencies" framing

Posted Mar 11, 2026 9:39 UTC (Wed) by sammythesnake (guest, #17693) [Link]

> And if the ecosystem as a whole uses it widely, any problems are *far* more likely to be noticed in a timely manner.

Open question: how does the scaling of "popularity" -> "quick spotting/fixing of problems" compare too the scaling of "popularity" -> "tasty target for malicious actors"...?

If the tastiness overtakes the benefits of problem spotting/fixing, then there's a net downside. I suspect neither scales neatly. There are probably discontinuities, such as when a specific project takes a dependency on - suddenly a particularly tasty target, or (hopefully) a particularly diligent project comes into scope. My bet would be on the former being the more significant. I also imagine the benefit is a diminishing returns scenario, whereas tastiness scales superlinearly, so the downside probably inevitably overtake the benefits at some point.

Related to that, the *diversity* of the uses matters a lot - if everyone else using it makes similar assumptions, that popularity doesn't imply much for a different use case...