Comment by lesuorac

Isn't xz-utils exactly why you would want a lot of dependencies over a singular one?

If say Serde gets compromised then only the projects depending on that version of Serde are as opposed to if Serde was part of the std library then every rust program is compromised.

> That mistake has bitten NPM repeatedly already, and the reckoning is coming for Rust too.

Eh, the only things that coming is using software expressly without a warranty (expectantly) will mean that software will cause you problems at an unknown time.