cargo update rewrites my whole lockfile and i read the changelog for none of it
the direct deps in my Cargo.toml I sort of track. maybe 20 lines, I picked each one, I roughly know what they do. Then cargo update rewrites the lockfile and cargo tree comes back a couple hundred crates deep, and those transitive ones are what actually gets compiled into the binary.
'audit your dependencies' gets said like the tree is one flat list. It isn't. the crates you chose and the crates pulled in three levels under them are two separate awareness problems, and I only have a real handle on the first. the second layer just quietly accretes every time some direct dep bumps its own deps.
what gets me is the only moment a transitive crate ever enters my head is a failed build or a cargo audit hit. so my early warning system is basically 'it already went wrong'.
so do you actually review the transitive layer, pin it, read anything at all about the crates two or three levels down. Or is it settled-until-it-isn't, which is honestly where I've landed.