Abstract image of a woman sitting on books and studying on a laptop

Dependency Management at Scale

Roberto Pérez Alcolea, profile picture
Roberto Pérez Alcolea

The document discusses the challenges of dependency management at scale within large software projects, particularly at Netflix, highlighting issues such as unaligned dependencies, bugs, and security vulnerabilities. It proposes solutions including publishing BOMs, using Gradle's Java platform plugin, and alternative techniques like shading to improve consumer experience. The talk emphasizes the importance of collaboration between library producers and consumers to navigate the complexities of dependency management effectively.

Software
Related topics:
Software EngineeringInsights on Software Development
1 of 34
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Dependency Management at Scale October 3, 2020
Roberto Pérez Alcolea Senior Software Engineer @ Netflix Productivity Engineering rperezalcolea@netflix.com @rpalcolea DEPENDENCY MANAGEMENT AT SCALE
•Many repositories (~3k) •Binary integration (JARs) •Microservices with fat clients •Hundreds of engineers DEPENDENCY MANAGEMENT AT SCALE Context
DEPENDENCY MANAGEMENT AT SCALE Builds per week: local + CI
Common problems in dependency management
Adding or upgrading a dependency causes: •NoSuchMethodError •NoSuchFieldError •NoClassDefFoundError •error: cannot find symbol DEPENDENCY MANAGEMENT AT SCALE
Unaligned dependencies Transitive dependency bumps a single module but not the whole family DEPENDENCY MANAGEMENT AT SCALE
Picking up dependencies with bugs or security vulnerabilities DEPENDENCY MANAGEMENT AT SCALE
DEPENDENCY MANAGEMENT AT SCALE Publishers lack visibility • Who will I break? • Who is consuming my library? • Who is using this API that I want to change?
DEPENDENCY MANAGEMENT AT SCALE Semantic versioning is not enough • Which version should I use? • Pinning versions is technical debt
DEPENDENCY MANAGEMENT AT SCALE Java version is not compatible
What can publishers do to alleviate pain?
DEPENDENCY MANAGEMENT AT SCALE Publish a BOM for family of modules •A BOM enables consumers of a library to select consistent versions for artifacts included in that library. •Examples: ‣ jackson-bom ‣ spring-boot-dependencies •Gradle Java Platform Plugin
•When making a breaking change: ‣If the new library surface is delivered under a new Java package, you could use a new artifact ID. ‣If the breaking change is made in-place and the Java package is kept the same, use the same artifact ID. •Avoid colliding classes (same package/class under multiple artifactId) DEPENDENCY MANAGEMENT AT SCALE Rename artifacts and packages together
•Do not upgrade JDK version in your library if you have consumers in older versions •Alternatives ‣Multi Release Jars ‣Separate JARs: Variant awareness with Gradle More: Multi-release JARs - Good or bad idea? DEPENDENCY MANAGEMENT AT SCALE Support the minimum Java version of your consumers
•Shading is a process where a dependency is relocated to a different Java package and copied into the same jar as the code that relies on that dependency. DEPENDENCY MANAGEMENT AT SCALE Last resource… shading
Improving consumer experience with Nebula
This plugin provides general purpose rule types on top of Gradle resolution strategies and module metadata, allowing rules to be published, versioned, shared between projects, and optionally dependency locked. •Duplicate classes caused by changes to group or artifact ids, without renaming packages •Duplicate classes caused by bundle dependencies, which do not conflict resolve against the 'regular' dependencies for that library •Lack of version alignment between libraries, where version alignment is needed for compatibility •Ensuring a minimum version of a library Resolution Rules Plugin DEPENDENCY MANAGEMENT AT SCALE
Resolution Rules Plugin https://github.com/rpalcolea/dependency-management-at-scale-jconf-mexico/tree/resolution-rules-usage https://github.com/nebula-plugins/gradle-resolution-rules-plugin https://github.com/nebula-plugins/gradle-resolution-rules DEPENDENCY MANAGEMENT AT SCALE
Dependency locking https://github.com/rpalcolea/dependency-management-at-scale-jconf-mexico/tree/dependency-locks DEPENDENCY MANAGEMENT AT SCALE
Lint Plugin https://github.com/rpalcolea/dependency-management-at-scale-jconf-mexico/tree/lint-unused-dependencies https://github.com/nebula-plugins/gradle-lint-plugin https://github.com/rpalcolea/dependency-management-at-scale-jconf-mexico/tree/lint-undeclared-dependencies DEPENDENCY MANAGEMENT AT SCALE
How do I know who uses my library?
•Collection of services and UIs that enable artifact observability and the ability to effect change in the Netflix ecosystem. •High level goal is to decrease time and effort needed to propagate change through the Netflix ecosystem •Useful for Library deprecation and Security Vulnerabilities Astrid DEPENDENCY MANAGEMENT AT SCALE
Astrid - Artifact Management DEPENDENCY MANAGEMENT AT SCALE
Astrid - Artifact Management DEPENDENCY MANAGEMENT AT SCALE
Astrid - Campaigns DEPENDENCY MANAGEMENT AT SCALE
What about security vulnerabilities?
CVE + Astrid + Nebula DEPENDENCY MANAGEMENT AT SCALE Practical Approach to Automate the Discovery & Eradication of Open-Source Software Vulnerabilities Aladdin Almubayed | 2019
What else can we do?
•Distributed Refactoring •Managed Source: automatic PRs for dependency locks, nebula wrapper and lint rules updates. What else can we do? Evolving Continuous Integration at Netflix (Elise McCallum) | 2019 DEPENDENCY MANAGEMENT AT SCALE
Something we tried…
•When a new version of a library is published, build all the consumers •Lack of testing in projects didn’t provide enough confidence for this model Publisher Feedback DEPENDENCY MANAGEMENT AT SCALE Gradle Summit - Netflix | Dependencies, Distributed Code and Engineering Velocity - Mike McGarr | 2017
Last thoughts… •Dependency management is hard •Dependency hell is inevitable, let’s try to reduce the pain •Build often, release often. Avoid conflict resolution by limiting version skew •Producers and consumers play an important role DEPENDENCY MANAGEMENT AT SCALE
Thank
 You. Q&A rperezalcolea@netflix.com @rpalcolea https://github.com/rpalcolea

More Related Content

PDF
Leveraging Gradle @ Netflix (Guadalajara JUG Feb 25, 2021)
Roberto Pérez Alcolea
 
PDF
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Roberto Pérez Alcolea
 
PDF
BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)
Steve Springett
 
PPTX
Dependency-Check Ecosystem - OWASP Summit 2017
Steve Springett
 
PDF
Reactive Programming in Spring 5
poutsma
 
PDF
Leveraging Feature Toggles for your Microservices (VoxxeddaysMicroservices Pa...
Cédrick Lunven
 
PPTX
Developing for the Atlassian Ecosystem
Alex Henderson
 
PPTX
Dependency track v3.3 - What's New
Steve Springett
 
Leveraging Gradle @ Netflix (Guadalajara JUG Feb 25, 2021)
Roberto Pérez Alcolea
 
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Roberto Pérez Alcolea
 
BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)
Steve Springett
 
Dependency-Check Ecosystem - OWASP Summit 2017
Steve Springett
 
Reactive Programming in Spring 5
poutsma
 
Leveraging Feature Toggles for your Microservices (VoxxeddaysMicroservices Pa...
Cédrick Lunven
 
Developing for the Atlassian Ecosystem
Alex Henderson
 
Dependency track v3.3 - What's New
Steve Springett
 

What's hot (6)

PPTX
Taking Database Development to the 21st Century
DBmaestro - Database DevOps
 
PPTX
DBmaestro's State of the Database Continuous Delivery Survey- Findings Revealed
DBmaestro - Database DevOps
 
PPTX
In (database) automation we trust
DBmaestro - Database DevOps
 
PPTX
Why retail companies can't afford database downtime
DBmaestro - Database DevOps
 
PPTX
Continuous Delivery & the Database - the Final Frontier
XebiaLabs
 
PPTX
Continuous Delivery & the Database- The Final Frontier
DBmaestro - Database DevOps
 
Taking Database Development to the 21st Century
DBmaestro - Database DevOps
 
DBmaestro's State of the Database Continuous Delivery Survey- Findings Revealed
DBmaestro - Database DevOps
 
In (database) automation we trust
DBmaestro - Database DevOps
 
Why retail companies can't afford database downtime
DBmaestro - Database DevOps
 
Continuous Delivery & the Database - the Final Frontier
XebiaLabs
 
Continuous Delivery & the Database- The Final Frontier
DBmaestro - Database DevOps
 
Ad

Similar to Dependency Management at Scale (20)

PDF
Dependency Management at Scale @ JConf Centroamérica 2020
Roberto Pérez Alcolea
 
PDF
Escaping Dependency Hell: A deep dive into Gradle's dependency management fea...
Roberto Pérez Alcolea
 
PDF
Managing dependencies with gradle
Liviu Tudor
 
PDF
Keeping your build tool updated in a multi repository world
Roberto Pérez Alcolea
 
PDF
Repository Management with JFrog Artifactory
Stephen Chin
 
PDF
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Project
 
PPTX
How maven makes your development group look like a bunch of professionals.
Fazreil Amreen Abdul Jalil
 
KEY
4 maven junit
Honnix Liang
 
PDF
Dependency Management in a Complex World (JConf Chicago 2022)
Roberto Pérez Alcolea
 
PDF
Protecting your organization against attacks via the build system
Louis Jacomet
 
PDF
Enforce reproducibility: dependency management and build automation
Danilo Pianini
 
PDF
Maven
Jyothi Malapati
 
PDF
Maven
Jyothi Malapati
 
PPTX
Apache maven and its impact on java 9 (Java One 2017)
Robert Scholte
 
PDF
{py}gradle
Stephen Holsapple
 
PDF
Dependencies, dependencies, dependencies
Marcel Offermans
 
PPTX
Introduction to the Nexus tool for DevOps
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
PDF
Apache Maven - eXo TN presentation
Arnaud Héritier
 
PDF
Dependency management: the cause of—and solution to—all supply chain problems
All Things Open
 
PDF
Maven 3 Overview
Mike Ensor
 
Dependency Management at Scale @ JConf Centroamérica 2020
Roberto Pérez Alcolea
 
Escaping Dependency Hell: A deep dive into Gradle's dependency management fea...
Roberto Pérez Alcolea
 
Managing dependencies with gradle
Liviu Tudor
 
Keeping your build tool updated in a multi repository world
Roberto Pérez Alcolea
 
Repository Management with JFrog Artifactory
Stephen Chin
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Project
 
How maven makes your development group look like a bunch of professionals.
Fazreil Amreen Abdul Jalil
 
4 maven junit
Honnix Liang
 
Dependency Management in a Complex World (JConf Chicago 2022)
Roberto Pérez Alcolea
 
Protecting your organization against attacks via the build system
Louis Jacomet
 
Enforce reproducibility: dependency management and build automation
Danilo Pianini
 
Maven
Jyothi Malapati
 
Maven
Jyothi Malapati
 
Apache maven and its impact on java 9 (Java One 2017)
Robert Scholte
 
{py}gradle
Stephen Holsapple
 
Dependencies, dependencies, dependencies
Marcel Offermans
 
Introduction to the Nexus tool for DevOps
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Apache Maven - eXo TN presentation
Arnaud Héritier
 
Dependency management: the cause of—and solution to—all supply chain problems
All Things Open
 
Maven 3 Overview
Mike Ensor
 
Ad

Recently uploaded (20)

PDF
Website Design Services for Small Businesses.pdf
ecomme9
 
PPTX
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
PPTX
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
PDF
How AI/LLM recommend to you ? GDG meetup 16 Aug by Fariman Guliev
HusseinMalikMammadli
 
PDF
Autodesk AutoCAD Crack Free Download 2025
hggfcrd hgggref
 
PDF
Multiverse AI Review 2025: Access All TOP AI Model-Versions!
Moshiur Rahman Jisan
 
PDF
DNT Brochure 2025 – ISV Solutions @ D365
sai vignesh
 
PPTX
Introduction to Windows Operating System
ssuser1028f8
 
PDF
AI/ML Infra Meetup | LLM Agents and Implementation Challenges
Alluxio, Inc.
 
PDF
The Dynamic Duo Transforming Financial Accounting Systems Through Modern Expe...
Triforce Global
 
PDF
Wondershare Recoverit Full Crack New Version (Latest 2025)
hashmi66g66
 
PPTX
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
PPTX
Oracle Fusion HCM Cloud Demo for Beginners
DharanOracleerp
 
PDF
EaseUS PDF Editor Pro 6.2.0.2 Crack with License Key 2025
halimaanam8
 
PDF
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
PDF
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
PPTX
GSA Content Generator Crack (2025 Latest)
halimaanam8
 
PDF
How to Make Money in the Metaverse_ Top Strategies for Beginners.pdf
Herond Labs
 
PDF
Top 10 Software Development Trends to Watch in 2025 🚀.pdf
KodekX
 
PDF
How Tridens DevSecOps Ensures Compliance, Security, and Agility
Tridens
 
Website Design Services for Small Businesses.pdf
ecomme9
 
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
How AI/LLM recommend to you ? GDG meetup 16 Aug by Fariman Guliev
HusseinMalikMammadli
 
Autodesk AutoCAD Crack Free Download 2025
hggfcrd hgggref
 
Multiverse AI Review 2025: Access All TOP AI Model-Versions!
Moshiur Rahman Jisan
 
DNT Brochure 2025 – ISV Solutions @ D365
sai vignesh
 
Introduction to Windows Operating System
ssuser1028f8
 
AI/ML Infra Meetup | LLM Agents and Implementation Challenges
Alluxio, Inc.
 
The Dynamic Duo Transforming Financial Accounting Systems Through Modern Expe...
Triforce Global
 
Wondershare Recoverit Full Crack New Version (Latest 2025)
hashmi66g66
 
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
Oracle Fusion HCM Cloud Demo for Beginners
DharanOracleerp
 
EaseUS PDF Editor Pro 6.2.0.2 Crack with License Key 2025
halimaanam8
 
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
GSA Content Generator Crack (2025 Latest)
halimaanam8
 
How to Make Money in the Metaverse_ Top Strategies for Beginners.pdf
Herond Labs
 
Top 10 Software Development Trends to Watch in 2025 🚀.pdf
KodekX
 
How Tridens DevSecOps Ensures Compliance, Security, and Agility
Tridens
 

Dependency Management at Scale