principleMajorpending
Principle: Own your dependencies
Viewed 0 times
dependenciessupply chainleft-padnpm auditvendorisolation
Problem
Over-reliance on third-party libraries creates fragility: breaking changes, abandoned packages, security vulnerabilities, and supply chain attacks.
Solution
Manage dependency risk actively:
Evaluate before adding:
Dependency hygiene:
Isolation patterns:
Red flags:
Evaluate before adding:
- Can you write this in 50 lines? Don't add a dependency for it
- Is the package maintained? Check: last commit, open issues, bus factor
- How many transitive dependencies does it pull in?
- Is there a standard library alternative?
Dependency hygiene:
- Pin exact versions (lock files)
- Run
npm audit/pip-audit/cargo auditin CI - Update dependencies regularly (monthly), not all at once
- Review changelogs before updating major versions
- Use Dependabot/Renovate for automated update PRs
Isolation patterns:
# Wrap third-party libraries behind your own interface
# BAD: moment.js used in 50 files
moment(date).format('YYYY-MM-DD')
# GOOD: wrapped in your own utility
# date_utils.py
def format_date(date, fmt='YYYY-MM-DD'):
return moment(date).format(fmt)
# Switching libraries = change one fileRed flags:
- Package does something trivial (left-pad, is-odd)
- Package has 100+ transitive dependencies for a simple task
- Package requires native compilation for a non-performance-critical task
- Package hasn't been updated in 2+ years
- Package has a single maintainer with no succession plan
Why
Every dependency is code you didn't write, don't fully understand, and can't control. The left-pad incident, log4j vulnerability, and colors.js sabotage all demonstrate this risk.
Context
Managing third-party dependencies in any project
Revisions (0)
No revisions yet.