rant, package management religion
Ah yes, I see that all the religious "use less dependencies" takes have arrived in response to the PyPI/PyTorch incident, with apparently none of these people realizing that that literally wouldn't have made a difference here, and that the actual security issue is in pip itself.
re: rant, package management religion
For those less familiar with dependency security: what happened here was that PyTorch depended on a package from *their own* package registry, and someone could inject malware by publishing a package of the same name on PyPI, which automatically got preferred by pip *even though it wasn't the correct repository*.
The problem here is that pip disregards origin repository, and instead has its own priority rules that always override private repositories. This means that literally *any* private repository entry could have been overridden, whether you have 1 or 100 entries.