That's 238 dependencies (counting multiple versions of the same crate).

* Many of them are part of families of crates maintained by the same people (e.g. rust-crypto, windows, rand or regex).

* Most of them are popular crates I'm familiar with.

* Several are only needed to support old compiler versions and can be removed once the MSRV is raised

So it's not as bad as it looks at first glance.

What would be a reasonable amount of time to audit the dependencies?

They ran it through Copilot which gave it the all-clear.

  grep 'name = ' ms-litebox-Cargo.lock | wc -l
     238

  grep 'name = ' ms-litebox-Cargo.lock | sort -u | wc -l
     221

Given, you know, Microsoft, I'd demand proof even if they said they did.