A Developer Just Forked httpx Because of Dependency Bloat — And He Has a Point

A post on Hacker News today is getting traction: a developer forked Python's popular httpx library because it pulls in too many dependencies.

His argument is simple: an HTTP client should not require 15+ transitive dependencies. The fork, called httpxyz, strips it down to the essentials.

This touches on something I've been thinking about a lot lately.

The Dependency Problem Is Real

Here's a quick experiment. Install httpx and count the dependencies:

pip install httpx
pip list | wc -l  # You'll see 15+ packages

Now do the same with requests:

pip install requests
pip list | wc -l  # Around 5 packages

And with the standard library:

import urllib.request
# Zero additional dependencies

For a simple HTTP GET, you're pulling in 15 packages with httpx vs. 0 with urllib.

Why This Matters

1. Supply chain attacks.
Every dependency is an attack surface. We just saw LiteLLM get compromised on PyPI. The more packages you install, the higher the risk.

2. Docker image size.
Each dependency adds megabytes to your container. In serverless environments, this directly affects cold start times.

3. Maintenance burden.
Every dependency can break your build with a new release. More dependencies = more things that can go wrong on pip install.

The Counter-Argument

httpx has features that justify its dependencies:

• HTTP/2 support
• Async support
• Connection pooling
• Automatic content decoding

If you need these features, the dependencies are worth it. The problem is when you're using httpx for simple GET requests that urllib handles fine.

My Rule of Thumb

Simple GET/POST → urllib.request (0 deps)
Need sessions/cookies → requests (5 deps)
Need async/HTTP2 → httpx (15 deps)
Need browser rendering → playwright (100+ deps)

Match the tool to the job. Don't use a sledgehammer for a nail.

What's Your Dependency Policy?

Do you audit your dependency tree? Do you have a maximum number of transitive dependencies you're comfortable with?

I've been building tools that help with this:

• API Security Scanner — checks dependencies against vulnerability databases
• Web Scraping Cheatsheet — includes minimal-dependency approaches

Curious to hear your approach.