Hacker News new | ask | show | jobs
by cyberpunk 53 days ago
shrug I guess we have different experiences. Any even small sized rust application I've come across rivals nodejs for amount of deps it pulls in.

Sure, just vendor them in, simples, right?
1 comments
IshKebab 52 days ago
You could do (it is simple), but all the code is stored on crates.io so there's no real need.

An exception is for crates that wrap C code which might get the code from elsewhere but those are quite rare.

link
cyberpunk 52 days ago
And they’re immutable, forever? No one can pull a leftpad?
link
cdirkx 52 days ago
Yes, they are immutable. It's only possible to "yank" a specific version, which will prevent new dependencies, but it will still be available for download for existing dependencies.

https://doc.rust-lang.org/cargo/commands/cargo-yank.html

link
dwattttt 52 days ago
To elaborate on "prevent new dependencies", dependency resolution will never choose a yanked version. However the yanked version remains hosted.
link