> That is true, but the hand-rolled StringUtil won't steal your credentials and infect your machine, which is the problem here.

Yeah, that's why I said that this is the other end of the pendulum.

> In C/C++ world, if it takes less than a couple hours to write, you might as well do it yourself rather than introduce a new dependency.

Oh I'm aware of that. My point still stands - that comes at a serious maintenance cost as well, and I'd also say a safety cost because you're probably not wrapping your homebrew StringUtils with a bunch of sanity checks and asserts, meaning there will be an opportunity for someone looking for a cheap source of exploits.