Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Maintainers of all open source standard libraries are effectively "random third parties". With heavily used ecosystem dependencies (such as Tokio, but also swaths of small libraries, such as `futures` or `regex`), the number of people who have looked at the code and battle-tested it is also huge.

On crates.io, a good heuristic is to look at two numbers: the number of dependents and the number of downloads. If both are high, it's _probably_ fine. Otherwise, I'll manually audit the code.

That's not a complete solution, especially not if you're worried about this from a security perspective, but it's a good approximation if you're worried about the general quality of your dependencies.



People are paid to work on standard libraries and there’s a whole process behind developing and releasing this software.

Tokio on the other hand is the library whose maintainer decided to download a binary blob during build: https://github.com/tokio-rs/prost/issues/562 https://github.com/tokio-rs/prost/issues/575

Good luck catching such issues across dozens of crates.


The issue you linked is a perfect example in support of my argument. Lots of people noticed the problem, and it was quickly rectified.


what other “quality” is there to worry about besides security?


Stability, correctness, test coverage, performance.

You can lump anything under "security" for particular use cases, but what's the point of words then.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: