Rust makes it easy to add dependencies to your project: edit your Cargo.toml (or use cargo add to have it changed for you from the command line), and you get to use the crate. But do you know what you’ve added to your project? Are you sure you can trust those lines of code?
Of course, some developers won’t bother to find out. After all, if a crate is in wide use, what are the chances it’s doing something fishy? As it turns out, there’s ample precedent for that.
Even when there’s no ill will, libraries can contain weaknesses — the recent Log4Shell debacle gave many Java system maintainers sleepless nights.
But what can we do as developers? Sticking our collective heads in the sand is a recipe for disaster. Checking your entire dependency with your own eyes is too costly for all but the most security-sensitive projects.