anyhow
Flexible concrete Error type built on std::error::Error
This package has a good security score with no known vulnerabilities.
Community Reviews
Rock-solid error handling with minimal runtime overhead
Memory footprint is excellent - errors are single-pointer sized despite carrying context chains. The library has zero dependencies beyond std, so supply chain risk is minimal. Breaking changes have been non-existent since 1.0; I've upgraded across 100+ point releases without touching code. Error downcasting with `.downcast_ref()` works reliably when you need to handle specific error types differently.
One gotcha: anyhow::Error deliberately obscures type information, which is correct for applications but wrong for libraries. The author is clear about this - use thiserror for library crates. The `bail!` and `ensure!` macros feel natural after a day of use and eliminate tons of boilerplate. No configuration needed, no connection pools to manage - it just works.
Best for: Application-level error handling where you need rich context without performance overhead or API complexity.
Avoid if: You're writing a library crate that needs to expose typed errors to consumers - use thiserror instead.
Battle-tested error handling that stays out of your way in production
The backtrace support integrates cleanly with RUST_BACKTRACE and RUST_LIB_BACKTRACE environment variables, giving you control over verbosity without code changes. Error chain formatting via {:#} is consistent and parseable, making log aggregation straightforward. The library has remained stable across versions - I've upgraded through multiple releases without breaking changes affecting runtime behavior.
One critical distinction: anyhow::Error is for applications, not libraries. For library code that needs typed errors, use thiserror. But for services where you need to propagate errors up to logging/monitoring boundaries, anyhow's trait object approach eliminates boilerplate while preserving full error chains and source information.
Best for: Application code and services where you need ergonomic error propagation with rich context and don't need to expose specific error types in your public API.
Avoid if: You're writing a library crate that needs callers to match on specific error variants or handle different error cases distinctly.
Ergonomic error handling with security tradeoffs in context propagation
In practice, the type erasure means you lose compile-time guarantees about error variants, which can be problematic for authentication/authorization flows where you need to distinguish between "user not found" vs "wrong password" without exposing that distinction to attackers. The `Debug` formatting includes full backtraces by default when `RUST_BACKTRACE=1`, which is helpful in development but dangerous if errors propagate to API responses or logs without sanitization.
The dependency footprint is minimal (essentially just std), which is excellent from a supply chain perspective. However, the library encourages a pattern where error details accumulate automatically, requiring explicit effort to redact sensitive information rather than being secure-by-default. You need supplementary logic to sanitize errors before they hit boundaries.
Best for: Application-level error handling in internal tools or services where rich debugging context outweighs information disclosure risks.
Avoid if: You need fine-grained error discrimination for authentication/authorization or must ensure zero sensitive data leakage by default in public APIs.
Sign in to write a review
Sign In