When you write the implementation yourself, you have to do all the work of finding it's bugs. If you don't think there are any left, you just haven't found them yet.

Boring only means you're oblivious to the problems that still remain. How many people have actually bothered to look for security vulnerabilities in toybox's command line parsing? link traversal?

Vendoring code from the same place as everyone else means having help to find problems and get them fixed. "many eyes make all bugs shallow" -Torvalds

Do not people understand that if you have a well tested software and rewire that in any language really, then while an off by one error overwriting an array might be caught there is no guarantee for the structural behavior of the program being sane.

Let's say the programmer forgets to treat tab as a whitespace under certain conditions (double tab) for example, if you pipe the output through a couple of programs (not uncommon in *nix) a new version of any program with a problem like the tab bug example that the original program did not have may result in corrupted data elsewhere in the system (just imagine wc as an example)

Yes this is a risk with all software regardless of language/version/revision etc, but in my opinion renders the rust Vs C problem mostly irrelevant. A buffer overrun you never hit its not a problem, likewise a super safe program is useless if it in those rare situations produces garbage from time to time. Both are bugs that can corrupt data or make issues elsewhere. It's simply a bug that should and will be fixed or worked around if people are interested enough.

That alone doesn't explain it. Add a healthy dose of C++ hatred and a blind admiration of Linus' ramblings to it, you'll get a viable explanation.

No, or at least it depends. If a project does publish the Cargo.lock file with many projects do you get the exact same versions of all deps as the other developer when he was writing and testing/using them. uutils does have them in the repo, so they is no automatic updating of dependencies, it only happens when you explicitly run "cargo update".
And as far I know more or less happens the same happens when you vendor packages with cargo vendor. So they is no harm for audits and build reproducibility

While that is obviously not an option, I think it may be possible to come up with a tiered solution. Create a language and compiler good enough for systems programming and add everything else on top of that as optional language extensions, abstractions and compiler modules.
Imho, the more we concentrate on learning the underlying concepts and the less we fixate on languages and syntax, the better off we are.

Are you trying to spread FUD or why are you suggesting that using external dependencies in rust will lead to questionable memory safety?

For example it is quite easy to check which of your dependencies are using unsafe blocks by using cargo geiger.

It is reasonable to assume that the authors of a safety critical create like this put some thought into to use or not to use those dependencies.

That's why you typically check in the Cargo.lock file. And update it to fix bugs or security issues. Cargo audit helps you with this.

That's why this coreutils replacement is developed using the test suite of the original project. That helps to get the structural behaviour right.

I'm only suggesting that they can and occasionally do.

Memory-related CVEs have been assigned to dependencies of this project in the past. I'm pretty sure they were all quickly resolved, but they happened nonetheless.

This project also has a number of C dependencies. There's nothing Rust can do to ensure they function soundly.

I wouldn't personally make that assumption, but it doesn't really matter.

The current number and nature of dependencies for this project make me uncomfortable. [Emphasis added for clarity.]

If you feel differently, that's A-OK! There are plenty of forks to go around.​

I had understood the original question to imply that "cargo update" would be run. But if not, then you are correct, nothing would change for the parent crate unless the lock itself were to change.