I am sure I am not the only one who thinks these micro-dependencies are worthless anyway. You'd be better off just listing the functions in a markdown file for people to copy over than ship an entire package for it.
This isn't "small" open source, "small" would be something you put together in a week or weekend. These are like "micro" projects, where more work goes into actually publishing and maintaining the repository than actually writing the library.
I like the approach C sometimes takes, with the "tiny header file" type of libraries. Though I guess that also stems from the lack of a central build system.
Vendoring dependencies is how I remember doing it for web projects pre-NPM. Find an open source, well tested library and copy the source into your project.
You have to manually update for any releases you care about, but that is also an incentive to keep dependency count low.
The security maintenance of the ten lines of code I have read and copied into my code is the same as the ten lines of code next to it, that I have written myself.
This isn't "small" open source, "small" would be something you put together in a week or weekend. These are like "micro" projects, where more work goes into actually publishing and maintaining the repository than actually writing the library.
I like the approach C sometimes takes, with the "tiny header file" type of libraries. Though I guess that also stems from the lack of a central build system.