[xg15]

Sounds like a great idea, until you find that your SMTP library pulls in 5 other libraries as its own dependencies and those each pull in 3 transitive dependencies of their own, one being some kitchen sink/toolbox project where only 1% of its code is actually relevant to the dependant and the rest is dead weight - but which pulls in 20 more dependencies for functions that are literally never called in your project - and before you know it, your codebase bloats up by several MB and you get CVE warnings for libraries that you didn't even know existed, let alone that you're using them.

[andruby]

I agree with this principle in general.

But for SMTP libraries, that's often part of stdlib (Ruby, Python, PHP, ...).

[Gigachad]

This doesn’t seem like a real issue. Servers can handle a several megabyte executable, and CVE warnings for libraries you aren’t using can be ignored.

[markisus]

In the hypothetical above, you won’t have any way to know which libraries are actually being used unless you read through the source code. Many libraries will transitively include protobuf, but most functions will not call protobuf.

[bronson]

Agreed. Even if you establish that it's not being used today, that doesn't mean that it will continue to be unused after the next few commits land.

And, even though you might not see a way to call into the unused code, an attacker might find a way (XZ Utils).