The benefit of software dependencies is that they allow developers to deliver software faster building on previous code. Dependencies are integral part of the software development cycle and they will be used at different stages i.e. development, execution or testing. Yet dependencies not only may introduce risks that are often overlooked, but their fast resolution and compliance with license types must be taken into consideration. In this extremely fast session we will see some of the advantages of using a mature, robust artifact manager for npm, bower and other package managers
13. ixchelruiz
Resources
“Collection of files for example templates, media ( audio,
video or images ), plain text files or blobs that need to
be included by applications to execute correctly”
14. ixchelruiz
Module
“Set of methods and functions that provide a self
contained functionality. A module usually has
an interface that specifies both the functionality it
provides as well as the functionality it depends on”
15. ixchelruiz
Package
“A collection of modules that hold in general the same
functional purpose. Usually a directory that contains
a file that describe metadata about the package.”
16. ixchelruiz
Library
“A collection of related functionality defined in several
packages, is essentially a set of functions that you can
call, each call does some work and returns control to
the client or application that executed said function. ”
17. ixchelruiz
Frameworks
“A framework embodies some abstract design, with more
behaviour built in. In order to use it you need to insert
your behaviour into various places in the framework .The
framework's code then calls your code at these points.”
24. ixchelruiz
The unknown programmer
“ Adding a dependency outsources the work of
developing that code—designing, writing, testing,
debugging, and maintaining—to someone else”
25. ixchelruiz
NPM
Notable breakages
March 2016: left-pad → unpublish
February 2018: npm version 5.7.0 on Linux → ownership of system
files
July 2018: eslint-scope version 3.7.2 → copied the npm
credentials.
November 2018: event-stream version 3.3.6 (flatmap-stream)
→ stole bitcoins
37. ixchelruiz
Inspect Dependency: Code Quality
“Is the code well written? Does it look like the authors
have been careful, conscientious, and consistent?
Does it look like code you would want to debug?”
42. ixchelruiz
Inspect Dependency: Security
“Will you be processing untrusted inputs with the package?
If so, does it seem to be robust against malicious inputs?
Does it have a history of security problems listed in the
NVD (National Vulnerability Database)?”