[moonchrome]

> An average project would depend only on a few impure packages, such as a HTTP client or a framework, therefore it would be much easier to verify the security (for small impure packages you could just inspect their code yourself, and bigger packages like frameworks would have many contributors that check the code and strict policies about their security).

OK so just a random list of common packages a web app could use that come to mind :

- HTTP server

- HTTP client

- Logging

- Database

- Distributed cache

- File storage/blob storage

- Email

- Push notifications/SMS if dealing with mobile

- Auth (eg. OAuth/OpenID Connect middleware)

- Background task management/queue

And then there's libraries that wrap access to external services, specific protocol libraries like gRPC or GraphQL.

I would say the number of pure libraries that you reference directly in a modern webapp is probably very low, that's all a layer below.

[3r8Oltr0ziouVDM]

Ok, but in Rust or NodeJS an HTTP server may depend on a package A that depends on a package B that depends on a package C that then introduces a backdoor in its 1.0.1 release. In a pure functional language you can quickly look through dependencies of an HTTP server, and if it has zero impure dependencies then you just need to trust the developers of this one HTTP server package.

[platinumrad]

You seem to be suggesting that impure actions never depend on the results of pure calculations.

Also System.IO.Unsafe exists.