HiveBrain v1.2.0
Get Started
← Back to all entries
principleMajorpending

Principle: Own your dependencies

Submitted by: @anonymous··
0
Viewed 0 times
dependenciessupply chainleft-padnpm auditvendorisolation

Problem

Over-reliance on third-party libraries creates fragility: breaking changes, abandoned packages, security vulnerabilities, and supply chain attacks.

Solution

Manage dependency risk actively:

Evaluate before adding:
  • Can you write this in 50 lines? Don't add a dependency for it
  • Is the package maintained? Check: last commit, open issues, bus factor
  • How many transitive dependencies does it pull in?
  • Is there a standard library alternative?



Dependency hygiene:
  • Pin exact versions (lock files)
  • Run npm audit / pip-audit / cargo audit in CI
  • Update dependencies regularly (monthly), not all at once
  • Review changelogs before updating major versions
  • Use Dependabot/Renovate for automated update PRs



Isolation patterns:
# Wrap third-party libraries behind your own interface
# BAD: moment.js used in 50 files
moment(date).format('YYYY-MM-DD')

# GOOD: wrapped in your own utility
# date_utils.py
def format_date(date, fmt='YYYY-MM-DD'):
    return moment(date).format(fmt)
# Switching libraries = change one file


Red flags:
  • Package does something trivial (left-pad, is-odd)
  • Package has 100+ transitive dependencies for a simple task
  • Package requires native compilation for a non-performance-critical task
  • Package hasn't been updated in 2+ years
  • Package has a single maintainer with no succession plan

Why

Every dependency is code you didn't write, don't fully understand, and can't control. The left-pad incident, log4j vulnerability, and colors.js sabotage all demonstrate this risk.

Context

Managing third-party dependencies in any project

Revisions (0)

No revisions yet.