- them breaking something
  - a supply chain attack
  - them making a change which breaks your program
  - you having accidentally relied on a bug or an unintended behavior of their code
    (which they may fix at any moment)
  - many unneeded LOC in your codebase
  - absolution of ownership
    - relying on a dependency versus having written it yourself
    - in the latter case you'll automatically take responsibility
    - think much more about code's security/quality
    - have the knowledge to fix it and know exactly where to
      (in your 35-lines of code you yourself wrote)
  - more burdensome upgrades of your software
  - longer compilation speeds
  - having to monitor their program
    - is it abandoned, ownership transferred to dubious party
    - did the maintainer have a late night drunken stupor accepting bad pull requests
    - did they react to a CVE or not
    - did they change the license
    - do they have a license but added their own problematic paragraph
    - does the program "develop badly"
      (change its target scope in any problematic way)
      (take on more and more bloat, more unneeded functionality)
  - having worse of an overview of your total dependencies 
    (since they may themselves rely on further crates you don't expect)
  - ...