Vetting the cargo

atty is an optional dependency of clap, so it's only pulled in if you enable the "color" feature (which is enabled by default, but if you care about trusting dependencies then I think you should always be disabling default features and only choosing the ones you really need).

With default-features=false, clap has 7 transitive dependencies (and one of those is owned by the clap project), which doesn't sound like a crazy amount to be vetted. The default features add another 4 transitive dependencies. But if you turn on all the stable optional features, it goes up to about 28, which does sound more like a crazy amount.