[db48x]

I look at it the other way around. You own any bug in your product whether it comes from a dependency or from code of your own; you have to fix the bug either way. Using a dependency doesn’t reduce your responsibility, but it does reduce the amount of code that you have to write yourself.

[hnlmorg]

But if you are willing to own that responsibility then you should read the code you're importing to begin with. I know I do but I also know most people don't bother.

I do acknowledge that there will always be bugs that are identified by your users but equally if you're not auditing your dependencies first then it's hard to argue that you're not just passing off that responsibility wholesale to your users.

[kungito]

It's always a tradeoff whether you want to read some other code or work on something else. Rust ecosystem is not that mature so for a few libraries I had to end up rewriting the thing myself with some fixes or without some bloat. I'm writing an application level thing and I need as many utilities as possible as I do not want to write all the layers for all the abstractions that end up in my product. Then when something breaks I investigate, offer a fix, open an issue or whatever. I'm not writing something that requires too much reliability or whatever, the utility is elsewhere.