Dependency Management

We never start from scratch there are so many libraries we can leverage and build upon to create a custom solution. Package management tools allow us to find and download specific versions of the libraries as well as the libraries those depend on (the dependency tree), and allow us to upgrade and maintain consistency for all devlopers and across all environments.

Things to consider when incorporating a package:

  • Is this library or package the one the community has rallied around and is becoming the defacto standard?
  • When was the last time this project was committed too? Does there seem to be an active community around this and do they release frequently?
  • Is the functionality you are gaining worth adding the package dependency complexity, or could you replace your usage of it with a few lines of code?

Key Concepts

  • Dependency Jargon: The terms 'dependency' or 'package' get thrown about, as do 'libraries'. Your application probably has depenedencies on other people's code. These code libraries are (hopefully) packaged into something like a node module, ruby gem, python egg, etc. Packaged libraries can be dealt with by a package manager, saving lots of headache.
  • Package Repository: Packaged libraries are usually available through a central package repository on the public internet such as maven central, rubygems, PyPI or npm. These tend to be the default, but organizations can also have private package repositories for the purpose of keeping code confidential or secure.
  • Manifest: Best practice is to use a manifest file (package.json, Gemfile, requirements.txt, etc.) that describes the dependencies required by your project. This allows others who download your code to let the package manager software go out and get the right versions of everything.
  • Dependency Resolution: Package managers also resolve dependencies, because your dependencies also have dependencies, and those might conflict with each other. The entire set of dependencies is known as the "dependency tree."
  • Updates: Packages are a great accelerator at providing lots of features and funcitonality. You packages need to be maintained and reviewed for security issues or vulnerabilities so they can quickly be updated with security updates and releases. Also there is a need to update packages for non-security related issues otherwise it will be harder to update when there is an issue in the future.

Pluribus Expectations

  • Only introduce dependencies via a manifest and package manager, unless there is no other way.
  • Perform due dilligence to investigate a new package, including update frequency, github stars/forks, code investigation, etc.
  • Everything that is added to a project is now your maintenence burden, if there is a way to add only a small portion of a larger library or even write a small amount of custom code if that meets the needs of the project.

results matching ""

    No results matching ""