[Gigachad]

This doesn’t seem like a real issue. Servers can handle a several megabyte executable, and CVE warnings for libraries you aren’t using can be ignored.

[markisus]

In the hypothetical above, you won’t have any way to know which libraries are actually being used unless you read through the source code. Many libraries will transitively include protobuf, but most functions will not call protobuf.

[bronson]

Agreed. Even if you establish that it's not being used today, that doesn't mean that it will continue to be unused after the next few commits land.

And, even though you might not see a way to call into the unused code, an attacker might find a way (XZ Utils).