Dependency management
What is a dependency?
Something needed to run our product.
OR
Something we depend on.
Examples
- package
- binary file
- asset (image, CSS, anything)
- script
- Docker image
- ...
Why dependencies are really bad?
- We depend on them
- We don't own them
(e.g. can't decide future directions)
- We don't have full control over them
- We don't understand them (black box)
- Upgrading them is a pain
- Can contain security issues
without our knowledge
How to choose dependencies?
Maturity
- They has been around
for a long time
e.g. Django, pytest, Flask
- We know and use them personally
(for a long time)
e.g. attrs, django-simple-history, Click, pytest-django
Documentation
- Publicly available
(e.g. https://readthedocs.org/,
public website: https://docs.djangoproject.com/en/3.0/)
- Easy to read and understand
- Complete (every feature is documented)
- has good public API documentation
Popularity
- GitHub stars (/forks)
- StackOverflow questions
- public forums, mailing lists
- package manager downloads
fore easier support
Quality
- Look into the source code!
- Coding standards
(e.g. PEP8, black, linters)
- Clean Code
- Test coverage
- Linters (e.g. pylint)
Release
- easy to install
(e.g. with package manager)
- digitally signed
(e.g. OS package manager, GPG)
- frequent releases
Code accessibility
(e.g. Open Source)
- Hosted on GitHub
Licenses
-
Permissive: MIT, BSD, Apache
- Copyleft: GPL v1/2, APGL, LGPL
How to handle dependencies properly?
(When we decided to use them?)
Version pinning
Tools
- copy-paste manually
- copy with script
- install with shell script
- OS package managers
(apt, apk, yum, ...)
- Language package managers
(pip, go mod, npm)
Upgrade strategies
- LTS (long term support)
- rolling release
- auto updates
- version pinning with manual updates
Python package managers
pip-tools
poetry
pipenv
Go package managers
Go modules
JavaScript package managers
npm
yarn
homeberew
(OS X)
Dependency management
By Kiss György
Dependency management
- 208