All about dependencies
0 likes29 views
The document discusses software dependencies, highlighting their types (frameworks, libraries, modules, and packages) and the considerations for managing them, such as code quality and maintenance. It emphasizes the risks associated with adopting dependencies, including notable breakages in the npm ecosystem. Additionally, it provides guidelines on inspecting dependencies for overall safety and reliability.
All about dependencies
- 2. All about dependencies @ixchelruiz — JFrog
- 3. @IXCHELRUIZ
- 4. Key
- 5. Dependencies
- 7. Dependencies Not all are the same.
- 9. ixchelruiz “Dependencies are collections containing high- quality tested code that provides functionality that required significant expertise to develop. ”
- 10. ixchelruiz “Dependency managers like NPM have made possible that trivial functionality can be packaged and published”
- 12. ixchelruiz Types of Dependencies Frameworks, libraries, packages, modules and resources.
- 13. ixchelruiz Resources “Collection of files for example templates, media ( audio, video or images ), plain text files or blobs that need to be included by applications to execute correctly”
- 14. ixchelruiz Module “Set of methods and functions that provide a self contained functionality. A module usually has an interface that specifies both the functionality it provides as well as the functionality it depends on”
- 15. ixchelruiz Package “A collection of modules that hold in general the same functional purpose. Usually a directory that contains a file that describe metadata about the package.”
- 16. ixchelruiz Library “A collection of related functionality defined in several packages, is essentially a set of functions that you can call, each call does some work and returns control to the client or application that executed said function. ”
- 17. ixchelruiz Frameworks “A framework embodies some abstract design, with more behaviour built in. In order to use it you need to insert your behaviour into various places in the framework .The framework's code then calls your code at these points.”
- 18. Frameworks — Platforms Key points • Functionality • LOC ( size ) • Opinionated • Integration between functional components • Roadmap — Versioning • Licensing • Tests
- 19. ixchelruiz Angular — React Framework — Platform Library
- 21. Perspective
- 22. ixchelruiz Key considerations “Cadence of update, migrations costs or cleanup efforts”
- 23. What can possibly go wrong?
- 24. ixchelruiz The unknown programmer “ Adding a dependency outsources the work of developing that code—designing, writing, testing, debugging, and maintaining—to someone else”
- 25. ixchelruiz NPM Notable breakages March 2016: left-pad → unpublish February 2018: npm version 5.7.0 on Linux → ownership of system files July 2018: eslint-scope version 3.7.2 → copied the npm credentials. November 2018: event-stream version 3.3.6 (flatmap-stream) → stole bitcoins
- 26. ixchelruiz NPM Notable breakages April 2020: is-promise → outage in serverless applications January 2022: colors pushed changes → text in an infinite loop.
- 34. ixchelruiz Cost of adopting a bad dependency
- 36. ixchelruiz Inspect Dependency: Design “Is the documentation clear? Does the API have a clear design? ”
- 37. ixchelruiz Inspect Dependency: Code Quality “Is the code well written? Does it look like the authors have been careful, conscientious, and consistent? Does it look like code you would want to debug?”
- 38. ixchelruiz Inspect Dependency: Testing “Does the code have tests? Can you run them? Do they pass? Tests establish that the code's basic functionality is correct”
- 39. ixchelruiz Inspect Dependency: Bug fi xing “Issue tracker. Are there many open bug reports? How long have they been open? Are there many fixed bugs? Have any bugs been fixed recently?”
- 40. ixchelruiz Inspect Dependency: Maintenance “How long has the code been actively maintained? Is it actively maintained now? How many people work on the package?”
- 41. ixchelruiz Inspect Dependency: Usage “Do many other packages depend on this code? How often others write about using the project?”
- 42. ixchelruiz Inspect Dependency: Security “Will you be processing untrusted inputs with the package? If so, does it seem to be robust against malicious inputs? Does it have a history of security problems listed in the NVD (National Vulnerability Database)?”
- 43. ixchelruiz Inspect Dependency: Licensing “Is the code properly licensed? Does it have a license at all? Is the license acceptable for your project or company?”
- 44. ixchelruiz Inspect Dependency: Dependencies “Does the code have dependencies of its own? List all the transitive dependencies”
- 45. ixchelruiz Universal Artifact Management ONE tool at the centre