What is a dependency?

Something needed to run our product.
OR
Something we depend on.

Examples

• package
   
• binary file
   
• asset (image, CSS, anything)
   
• script
   
• Docker image
   
• ...

Why dependencies are really bad?

• We depend on them
   
• We don't own them
  (e.g. can't decide future directions)
   
• We don't have full control over them
   
• We don't understand them (black box)
   
• Upgrading them is a pain
   
• Can contain security issues
  without our knowledge

How to choose dependencies?

• They has been around
  for a long time
  e.g. Django, pytest, Flask
   
• We know and use them personally
  (for a long time)
  e.g. attrs, django-simple-history, Click, pytest-django

• Publicly available
  (e.g. https://readthedocs.org/,
  public website: https://docs.djangoproject.com/en/3.0/)
   
• Easy to read and understand
   
• Complete (every feature is documented)
   
• has good public API documentation

• Look into the source code!
   
• Coding standards
  (e.g. PEP8, black, linters)
   
• Clean Code
   
• Test coverage
   
• Linters (e.g. pylint)

Release

• easy to install
  (e.g. with package manager)
   
• digitally signed
  (e.g. OS package manager, GPG)
   
• frequent releases

Code accessibility
(e.g. Open Source)

• Hosted on GitHub

Licenses

• Permissive: MIT, BSD, Apache
   
• Copyleft: GPL v1/2, APGL, LGPL

https://choosealicense.com/

How to handle dependencies properly?

(When we decided to use them?)

Version pinning

https://nvie.com/posts/better-package-management/

https://nvie.com/posts/pin-your-packages/

Tools

• copy-paste manually
   
• copy with script
   
• install with shell script
   
• OS package managers
  (apt, apk, yum, ...)
  
   
• Language package managers
  (pip, go mod, npm)

Upgrade strategies

• LTS (long term support)
   
• rolling release
   
• auto updates
   
• version pinning with manual updates

Python package managers

pip-tools

poetry

pipenv

Go package managers

Go modules

JavaScript package managers

npm

yarn