SENG3011

🌿 2.3 - Managing Dependencies

In this lecture

What are software dependencies?
Issues in managing dependencies
Tradeoffs in reusability and platformisation

Software Libraries

Avoid reinventing the wheel
Leverage other APIs and abstractions
Platform as a Service - platforms to help you build your software
What are we depending on?
- The author doesn't remove the library
- The author doesn't break the library with an update
- The author isn't malicious
- The library's dependencies are available

Two types of dependencies

Direct dependencies your application relies on
Transitive dependencies - the libraries your dependencies rely on / dependencies of dependencies

Diamond Dependencies

Cyclical Dependencies

Lockfiles

Lockfile specifies an exact version of dependencies to be used
Avoids the risk of automatically upgrading packages that depend on one another and breaking the dependency tree

Semantic Versioning

Version number: major.minor.patch (e.g. 1.10.1)
Major - when you make changes that break the API contract (break LSP)
Minor - when you add functionality in a backwards compatible manner (maintain LSP)
Patch - backwards compatible bug fix

A little copying is better than a little dependency.

Case Study: Leftpad

Keeping supply chains secure

Any software dependency creates a security risk
Your code might be secure, but are your dependencies secure?
SAST - Static Analysis Security Testing - tools to keep track of security upgrades to dependencies