March 19, 2020
Managing dependencies is not for the faint of heart. For a single project, you may be able to keep up with dependencies on your own. For software codebases with hundreds of modules, however, even the most seasoned developer will quickly descend into dependency hell.
Don’t worry: dependency hell has happened to the best of us! There are a couple things you can do to keep yourself sane. Read on for our three favorite tips.
Dependency Management Defined
First, let’s define some of the basic terminology.
A software dependency is an external standalone library that can be as small as a single file or as big as multiple files and folders organized into packages to perform a specific task. For example, if you created a messaging app and wanted to encrypt your messages, you could use an external package created by someone else for the encryption. Your messaging app now has a dependency — the encryption package — that it needs to run properly.
There are two types of dependencies:
- Direct dependencies are the libraries referenced directly by your application.
- Transitive dependencies are the libraries your dependencies are calling; on a basic level, they are a dependency of a dependency.
The NPM dependency network with many direct and transitive dependencies. From: https://graphcommons.com/graphs/a7ec343d-2a0c-47bb-9658-bb8315e8a096
Dependency management is a technique for identifying, resolving, and patching dependencies in your application’s codebase.
A dependency manager is a software module that helps integrate external libraries or packages into your larger application stack.
The Importance of Dependency Management
When it comes to dependency management, open source software has made things more complex. Built on the foundation of sharing and reusing code, open source software now accounts for 60-80% of all applications’ code base, which means more dependencies to manage.
So why do you need visibility into your dependencies anyway? Outdated dependencies can impact your software application in a number of ways:
- Security. Some libraries have known vulnerabilities. If you’re not updating these libraries, your application is exposed and you may be passing this risk on to others.
- Performance improvements. If your dependencies are outdated, you may be missing out on the latest enhancements that significantly improve performance or add new functionality.
- Quality assurance. To keep your application running smoothly, you need to prevent problems such as conflicting or circular dependencies as well as keep up to date on libraries that have been end-of-lifed and bug fixes.
- License compliance. With so many dependencies, it can be hard to keep track of all your open source licenses. Many organizations don’t understand all licenses need to be compatible with each other and that they are bound not just by the licenses of direct dependencies, but also by the licenses of every transitive dependency. By not fully understanding all your dependencies’ licenses, you put your own IP at risk.
Barriers to Adopting a Comprehensive Dependency Management Policy
Simple inertia is the main reason companies aren’t actively updating their dependencies. Your software is working fine, so it feels as if there’s little incentive to update it. With so many other priorities, dependency management often gets ignored.
Another reason outdated dependencies aren’t updated is due to a fear of breaking the build. Dependency management is hard, and applications depend on many libraries. You might have long chains of transitive dependencies or even circular dependencies. Updating one dependency may break another one further down the chain.
3 Tips for Managing Your Dependencies
Keeping your dependencies up to date is important, but this is far easier said than done. The really hard part of managing your dependencies is understanding which dependencies are vulnerable to security threats and which updates won’t break your code. With so many direct and transitive dependencies, this can be a challenge, but we have some tips to help you manage this process:
#1 Prioritize. Some dependencies are more important than others, so it is important to be able to prioritize them, particularly when it comes to vulnerabilities. You need to understand exactly which open source vulnerabilities are being accessed by your code and which vulnerabilities aren’t so that you can update your most critical dependencies first.
#2 Automate. Maintaining your dependencies can be extremely time sensitive when it comes to vulnerabilities and bug fixes. You can save time and reduce your exposure by automating dependency updates in your software projects and have your dependencies updated when new versions are released.
#3 Establish policies. Establishing a clear policy up front about open source usage and dependency management helps prevent headaches later in development when it is more costly to resolve them. Your policies act as a playbook by telling your development and security teams how to handle these threats in your open source components. Without policies to give clear guidance, managing dependencies efficiently tends to be extremely hard if not close to impossible.
Dependency Management Heaven
Now that you understand the challenges that come with dependency management, you probably have a lot of questions. The answer you’re searching for is dependency update automation. Dependency update automation helps you stay current and requires less time than an ad-hoc approach. It also gives you a number of advanced features like sorting by dependency or patch type and can even auto-merge pull requests if tests pass.
With data breaches more common and compliance top of mind, developers are more concerned about dependency management than ever before. You can stay out of dependency hell by creating a clear plan that prioritizes dependencies with vulnerabilities and handles updates automatically.
Developers and DevOps personnel have powerful new tools for dependency management available to them, which will help usher them to dependency heaven.