SlideShare a Scribd company logo

GDG Morgantown, WV: Write code you can depend on!

Download as PPTX, PDF
L
Logan Spears

The hidden cost of dependencies and avoiding the left-pad problem Video: https://www.youtube.com/watch?v=ZtBDjeHILm8

Software
1 of 28
Write code you can depend on! THE HIDDEN COST OF DEPENDENCIES AND AVOIDING THE LEFT-PAD PROBLEM
Who are you?
About Me  Logan Spears  Software Consultant since 2011  Director of Development ShaleApps 2015  Worked on  iOS  Android  Server (mostly go)  Some web  github.com/loganjspears
What is the left-pad problem?
The left-pad Problem  npm package left-pad was unpublished  left-pad was a dependency of React, Babel, and other major packages.  Left-pad and its dependents were unavailable for 2.5 hours during the outage.
npm Strikes Back  npm restored left-pad and other affected packages  They severely restricted un-publishing packages  The day is saved! Total down time was only 2.5 hours. Glad it won’t happen again!
Can we review dependencies for a sec?
Dependency Pros and Cons Pros  You get to stand on the shoulders of programming giants  Developer productivity is increased  DRY principals are upheld Cons  Cognitive load increased  Abandoned projects are common  Reproducible builds can be more difficult  Surface area is larger for bugs and security vulnerabilities
Is there a larger problem here?
The Larger Problem  Dependency graphs are extensive  express dependency graph includes:  41 nodes  31 maintainers  “ee-first” contains two functions  “range-parser” contains one function  Not all dependency versions are pinned
Review of Semantic Versioning  MAJOR version when you make incompatible API changes,  MINOR version when you add functionality in a backwards- compatible manner, and  PATCH version when you make backwards-compatible bug fixes.  Express dependencies shown to the right. The “~” indicates packages that will automatically absorb patch numbers.
Breaking the Build  Can you trust 31 maintainers and countless contributors to push bug free code?  Semantic versioning is not a hard guarantee  You can’t guarantee your dependencies will pin their dependencies’ version numbers.
Security Concerns  rimrafall malicious package executing rm -rf /* /.*  npm accounts of dependency maintainers can be compromised  Commonly confused packages e.g. “express” vs “expressjs”
I deal with it now. What’s the big deal?
npm install != npm install  npm install can produce different results with the same package.json  Heroku, for example, uses npm install for deployments  Best practices advise to exclude dependencies from git  Your dev, CI, and production environment can all act differently  Everything can break when you push to production!  npm.org might be down!
Ok fine I care. What should I do?
Make your builds reproducible!  Check your dependencies into git  Architecture problems can arise  Have to remove build artifacts  npm shrinkwrap  Build Docker image (shown later)  Reduce your dependencies!
Okay you hate npm are we done?
Nope. Lets take a look at Go!
Out of the box  Typical workflow  Write code  import “github.com/org/dep”  go get  Write more code  Shared $GOPATH  Go is a new awesome language. There can’t be any problems here!
go get… Problems  $GOPATH dependency versions can conflict  Dependencies point to master branch which can change  go get can produce different results from the same source  Can I have semantic versioning back?
How do I avoid getting shot by that gopher?
Hacks prior to Go 1.6  gopkg.in  URL based versioning  Ex. “gopkg.in/yaml.v1”  GB  Alternative go tool  Separate $GOPATH for each project  godep  Embed dependencies in source  Rewrite import paths
>= Go 1.6  Vendor support added in Go 1.6  Tools now copy source into vendor directory  godep uses /vendor  Builds now reproducible from just the source  Your build can’t fail if github is down!
I am cool and use Docker. Am I covered?
Docker w/ Node & npm  Bad  CI and Production using source and Dockerfile instead of image  Good  Saving your image and running tests on it
Docker w/ Go Bad Good
“ ” A little copying is better than a little dependency. ROB PIKE

Recommended

Put an end to regression with codeception testing
Put an end to regression with codeception testingPut an end to regression with codeception testing
Put an end to regression with codeception testing
Joe Ferguson
 
Composer at Scale, Release and Dependency Management
Composer at Scale, Release and Dependency ManagementComposer at Scale, Release and Dependency Management
Composer at Scale, Release and Dependency Management
Joe Ferguson
 
DevOps + MongoDB Serverless = 
DevOps + MongoDB Serverless = DevOps + MongoDB Serverless = 
DevOps + MongoDB Serverless = 
Lauren Hayward Schaefer
 
Building CI/CD Pipelines for MongoDB Realm Apps
Building CI/CD Pipelines for MongoDB Realm AppsBuilding CI/CD Pipelines for MongoDB Realm Apps
Building CI/CD Pipelines for MongoDB Realm Apps
Lauren Hayward Schaefer
 
Documenting apps ti confnyc
Documenting apps ti confnycDocumenting apps ti confnyc
Documenting apps ti confnyc
Jamil Spain
 
Porque Odeio Branches
Porque Odeio BranchesPorque Odeio Branches
Porque Odeio Branches
Rafael Petry
 
Grails at DMC Digital
Grails at DMC DigitalGrails at DMC Digital
Grails at DMC Digital
tomaslin
 
Look, Ma! No servers! Serverless application development with MongoDB Stitch
Look, Ma! No servers! Serverless application development with MongoDB StitchLook, Ma! No servers! Serverless application development with MongoDB Stitch
Look, Ma! No servers! Serverless application development with MongoDB Stitch
Lauren Hayward Schaefer
 

Recommended

Put an end to regression with codeception testing
Put an end to regression with codeception testingPut an end to regression with codeception testing
Put an end to regression with codeception testing
Joe Ferguson
 
Composer at Scale, Release and Dependency Management
Composer at Scale, Release and Dependency ManagementComposer at Scale, Release and Dependency Management
Composer at Scale, Release and Dependency Management
Joe Ferguson
 
DevOps + MongoDB Serverless = 
DevOps + MongoDB Serverless = DevOps + MongoDB Serverless = 
DevOps + MongoDB Serverless = 
Lauren Hayward Schaefer
 
Building CI/CD Pipelines for MongoDB Realm Apps
Building CI/CD Pipelines for MongoDB Realm AppsBuilding CI/CD Pipelines for MongoDB Realm Apps
Building CI/CD Pipelines for MongoDB Realm Apps
Lauren Hayward Schaefer
 
Documenting apps ti confnyc
Documenting apps ti confnycDocumenting apps ti confnyc
Documenting apps ti confnyc
Jamil Spain
 
Porque Odeio Branches
Porque Odeio BranchesPorque Odeio Branches
Porque Odeio Branches
Rafael Petry
 
Grails at DMC Digital
Grails at DMC DigitalGrails at DMC Digital
Grails at DMC Digital
tomaslin
 
Look, Ma! No servers! Serverless application development with MongoDB Stitch
Look, Ma! No servers! Serverless application development with MongoDB StitchLook, Ma! No servers! Serverless application development with MongoDB Stitch
Look, Ma! No servers! Serverless application development with MongoDB Stitch
Lauren Hayward Schaefer
 
Cross Platform Mobile Development in C#
Cross Platform Mobile Development in C#Cross Platform Mobile Development in C#
Cross Platform Mobile Development in C#
James Montemagno
 
DevOps + MongoDB Realm Serverless Functions = 🤩
DevOps + MongoDB Realm Serverless Functions = 🤩DevOps + MongoDB Realm Serverless Functions = 🤩
DevOps + MongoDB Realm Serverless Functions = 🤩
Lauren Hayward Schaefer
 
Hands on React Native: From Zero to Hero
Hands on React Native: From Zero to HeroHands on React Native: From Zero to Hero
Hands on React Native: From Zero to Hero
Dmitry Vinnik
 
Common Java problems when developing with Android
Common Java problems when developing with AndroidCommon Java problems when developing with Android
Common Java problems when developing with Android
Stephen Gilmore
 
JHipster conf : craftsmanship & tdd
JHipster conf : craftsmanship & tddJHipster conf : craftsmanship & tdd
JHipster conf : craftsmanship & tdd
Hippolyte Durix
 
Improving Code Quality In Medical Software Through Code Reviews - Vincit Teat...
Improving Code Quality In Medical Software Through Code Reviews - Vincit Teat...Improving Code Quality In Medical Software Through Code Reviews - Vincit Teat...
Improving Code Quality In Medical Software Through Code Reviews - Vincit Teat...
VincitOy
 
Modern Web Testing: Going Beyond Selenium
Modern Web Testing: Going Beyond Selenium Modern Web Testing: Going Beyond Selenium
Modern Web Testing: Going Beyond Selenium
Dmitry Vinnik
 
TDD on android. Why and How? (Coding Serbia 2019)
TDD on android. Why and How? (Coding Serbia 2019)TDD on android. Why and How? (Coding Serbia 2019)
TDD on android. Why and How? (Coding Serbia 2019)
Danny Preussler
 
React Apps at AirHelp. Lessons learned.
React Apps at AirHelp. Lessons learned.React Apps at AirHelp. Lessons learned.
React Apps at AirHelp. Lessons learned.
AirHelp
 
Continuous delivery of embedded systems embedded meetup
Continuous delivery of embedded systems embedded meetupContinuous delivery of embedded systems embedded meetup
Continuous delivery of embedded systems embedded meetup
Mike Long
 
Who let the robot out? - Building high quality software with Continuous Integ...
Who let the robot out? - Building high quality software with Continuous Integ...Who let the robot out? - Building high quality software with Continuous Integ...
Who let the robot out? - Building high quality software with Continuous Integ...
Timo Stollenwerk
 
Fastlane on Android 介紹
Fastlane on Android 介紹Fastlane on Android 介紹
Fastlane on Android 介紹
Kros Huang
 
From git to forge
From git to forgeFrom git to forge
From git to forge
Nicolas Corrarello
 
Monorepo: React Web & React Native
Monorepo: React Web & React NativeMonorepo: React Web & React Native
Monorepo: React Web & React Native
Eugene Zharkov
 
Monorepo: React + React Native. React Alicante
Monorepo: React + React Native. React Alicante Monorepo: React + React Native. React Alicante
Monorepo: React + React Native. React Alicante
Eugene Zharkov
 
Effective Code Review (Or How To Alienate Your Coworkers)
Effective Code Review (Or How To Alienate Your Coworkers)Effective Code Review (Or How To Alienate Your Coworkers)
Effective Code Review (Or How To Alienate Your Coworkers)
Perforce
 
Continuous delivery @CD Summit Stockholm
Continuous delivery @CD Summit StockholmContinuous delivery @CD Summit Stockholm
Continuous delivery @CD Summit Stockholm
Michael Medin
 
Continuous delivery from the trenches Redhat Forum Edition
Continuous delivery from the trenches Redhat Forum EditionContinuous delivery from the trenches Redhat Forum Edition
Continuous delivery from the trenches Redhat Forum Edition
Michael Medin
 
How to Become a Conference Speaker
How to Become a Conference SpeakerHow to Become a Conference Speaker
How to Become a Conference Speaker
Sven Peters
 
.concat() 2018 – How I boosted my Dev teams confidence – Lighting talk
.concat() 2018 – How I boosted my Dev teams confidence – Lighting talk.concat() 2018 – How I boosted my Dev teams confidence – Lighting talk
.concat() 2018 – How I boosted my Dev teams confidence – Lighting talk
ChristianStuff
 
Redesinalambricas
RedesinalambricasRedesinalambricas
Redesinalambricas
HIANNI27858
 
Un ser humano en el eespacio
Un ser humano en el eespacioUn ser humano en el eespacio
Un ser humano en el eespacio
HIANNI27858
 

More Related Content

What's hot

DevOps + MongoDB Realm Serverless Functions = 🤩
DevOps + MongoDB Realm Serverless Functions = 🤩DevOps + MongoDB Realm Serverless Functions = 🤩
DevOps + MongoDB Realm Serverless Functions = 🤩
Lauren Hayward Schaefer
 
Hands on React Native: From Zero to Hero
Hands on React Native: From Zero to HeroHands on React Native: From Zero to Hero
Hands on React Native: From Zero to Hero
Dmitry Vinnik
 
Improving Code Quality In Medical Software Through Code Reviews - Vincit Teat...
Improving Code Quality In Medical Software Through Code Reviews - Vincit Teat...Improving Code Quality In Medical Software Through Code Reviews - Vincit Teat...
Improving Code Quality In Medical Software Through Code Reviews - Vincit Teat...
VincitOy
 
Modern Web Testing: Going Beyond Selenium
Modern Web Testing: Going Beyond Selenium Modern Web Testing: Going Beyond Selenium
Modern Web Testing: Going Beyond Selenium
Dmitry Vinnik
 
Continuous delivery of embedded systems embedded meetup
Continuous delivery of embedded systems embedded meetupContinuous delivery of embedded systems embedded meetup
Continuous delivery of embedded systems embedded meetup
Mike Long
 

What's hot (20)

Cross Platform Mobile Development in C#
Cross Platform Mobile Development in C#Cross Platform Mobile Development in C#
Cross Platform Mobile Development in C#
 
DevOps + MongoDB Realm Serverless Functions = 🤩
DevOps + MongoDB Realm Serverless Functions = 🤩DevOps + MongoDB Realm Serverless Functions = 🤩
DevOps + MongoDB Realm Serverless Functions = 🤩
 
Hands on React Native: From Zero to Hero
Hands on React Native: From Zero to HeroHands on React Native: From Zero to Hero
Hands on React Native: From Zero to Hero
 
Common Java problems when developing with Android
Common Java problems when developing with AndroidCommon Java problems when developing with Android
Common Java problems when developing with Android
 
JHipster conf : craftsmanship & tdd
JHipster conf : craftsmanship & tddJHipster conf : craftsmanship & tdd
JHipster conf : craftsmanship & tdd
 
Improving Code Quality In Medical Software Through Code Reviews - Vincit Teat...
Improving Code Quality In Medical Software Through Code Reviews - Vincit Teat...Improving Code Quality In Medical Software Through Code Reviews - Vincit Teat...
Improving Code Quality In Medical Software Through Code Reviews - Vincit Teat...
 
Modern Web Testing: Going Beyond Selenium
Modern Web Testing: Going Beyond Selenium Modern Web Testing: Going Beyond Selenium
Modern Web Testing: Going Beyond Selenium
 
TDD on android. Why and How? (Coding Serbia 2019)
TDD on android. Why and How? (Coding Serbia 2019)TDD on android. Why and How? (Coding Serbia 2019)
TDD on android. Why and How? (Coding Serbia 2019)
 
React Apps at AirHelp. Lessons learned.
React Apps at AirHelp. Lessons learned.React Apps at AirHelp. Lessons learned.
React Apps at AirHelp. Lessons learned.
 
Continuous delivery of embedded systems embedded meetup
Continuous delivery of embedded systems embedded meetupContinuous delivery of embedded systems embedded meetup
Continuous delivery of embedded systems embedded meetup
 
Who let the robot out? - Building high quality software with Continuous Integ...
Who let the robot out? - Building high quality software with Continuous Integ...Who let the robot out? - Building high quality software with Continuous Integ...
Who let the robot out? - Building high quality software with Continuous Integ...
 
Fastlane on Android 介紹
Fastlane on Android 介紹Fastlane on Android 介紹
Fastlane on Android 介紹
 
From git to forge
From git to forgeFrom git to forge
From git to forge
 
Monorepo: React Web & React Native
Monorepo: React Web & React NativeMonorepo: React Web & React Native
Monorepo: React Web & React Native
 
Monorepo: React + React Native. React Alicante
Monorepo: React + React Native. React Alicante Monorepo: React + React Native. React Alicante
Monorepo: React + React Native. React Alicante
 
Effective Code Review (Or How To Alienate Your Coworkers)
Effective Code Review (Or How To Alienate Your Coworkers)Effective Code Review (Or How To Alienate Your Coworkers)
Effective Code Review (Or How To Alienate Your Coworkers)
 
Continuous delivery @CD Summit Stockholm
Continuous delivery @CD Summit StockholmContinuous delivery @CD Summit Stockholm
Continuous delivery @CD Summit Stockholm
 
Continuous delivery from the trenches Redhat Forum Edition
Continuous delivery from the trenches Redhat Forum EditionContinuous delivery from the trenches Redhat Forum Edition
Continuous delivery from the trenches Redhat Forum Edition
 
How to Become a Conference Speaker
How to Become a Conference SpeakerHow to Become a Conference Speaker
How to Become a Conference Speaker
 
.concat() 2018 – How I boosted my Dev teams confidence – Lighting talk
.concat() 2018 – How I boosted my Dev teams confidence – Lighting talk.concat() 2018 – How I boosted my Dev teams confidence – Lighting talk
.concat() 2018 – How I boosted my Dev teams confidence – Lighting talk
 

Viewers also liked

The Production of Obesity among African American Women (Powerpoint)
The Production of Obesity among African American Women (Powerpoint)The Production of Obesity among African American Women (Powerpoint)
The Production of Obesity among African American Women (Powerpoint)
Christopher Ndubuizu, MPH
 

Viewers also liked (13)

Redesinalambricas
RedesinalambricasRedesinalambricas
Redesinalambricas
 
Un ser humano en el eespacio
Un ser humano en el eespacioUn ser humano en el eespacio
Un ser humano en el eespacio
 
La robotica2
La robotica2La robotica2
La robotica2
 
The Production of Obesity among African American Women (Powerpoint)
The Production of Obesity among African American Women (Powerpoint)The Production of Obesity among African American Women (Powerpoint)
The Production of Obesity among African American Women (Powerpoint)
 
Busqueda bibliográfica
Busqueda bibliográficaBusqueda bibliográfica
Busqueda bibliográfica
 
Los nativos digitales y la busqueda de informacion en internet
Los nativos digitales y la busqueda de informacion en internetLos nativos digitales y la busqueda de informacion en internet
Los nativos digitales y la busqueda de informacion en internet
 
Seminario 5
Seminario 5Seminario 5
Seminario 5
 
Education modernization
Education modernizationEducation modernization
Education modernization
 
Presentación1seminario 3
Presentación1seminario 3Presentación1seminario 3
Presentación1seminario 3
 
Project E-NUFF Action Plan Presentation
Project E-NUFF Action Plan PresentationProject E-NUFF Action Plan Presentation
Project E-NUFF Action Plan Presentation
 
EKG PA Class 2017
EKG PA Class 2017EKG PA Class 2017
EKG PA Class 2017
 
Hazards
HazardsHazards
Hazards
 
Comparison matrix
Comparison matrixComparison matrix
Comparison matrix
 

Similar to GDG Morgantown, WV: Write code you can depend on!

Similar to GDG Morgantown, WV: Write code you can depend on! (20)

Introduction to Go
Introduction to GoIntroduction to Go
Introduction to Go
 
10 Code Anti-Patterns to Avoid in Software Development.pdf
10 Code Anti-Patterns to Avoid in Software Development.pdf10 Code Anti-Patterns to Avoid in Software Development.pdf
10 Code Anti-Patterns to Avoid in Software Development.pdf
 
Scaling applications with go
Scaling applications with goScaling applications with go
Scaling applications with go
 
NodeJS vs Golang - A detailed comparison
NodeJS vs Golang - A detailed comparisonNodeJS vs Golang - A detailed comparison
NodeJS vs Golang - A detailed comparison
 
Java And Community Support
Java And Community SupportJava And Community Support
Java And Community Support
 
Introduction to go lang
Introduction to go langIntroduction to go lang
Introduction to go lang
 
Let's Go: Introduction to Google's Go Programming Language
Let's Go: Introduction to Google's Go Programming LanguageLet's Go: Introduction to Google's Go Programming Language
Let's Go: Introduction to Google's Go Programming Language
 
Lets Go - An introduction to Google's Go Programming Language
Lets Go - An introduction to Google's Go Programming Language Lets Go - An introduction to Google's Go Programming Language
Lets Go - An introduction to Google's Go Programming Language
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD
 
Beginning development in go
Beginning development in goBeginning development in go
Beginning development in go
 
PHP Mega Meetup, Sep, 2020, Anti patterns in php
PHP Mega Meetup, Sep, 2020, Anti patterns in phpPHP Mega Meetup, Sep, 2020, Anti patterns in php
PHP Mega Meetup, Sep, 2020, Anti patterns in php
 
Developers survival-guide
Developers survival-guideDevelopers survival-guide
Developers survival-guide
 
Untangling4
Untangling4Untangling4
Untangling4
 
Golang : A Hype or the Future?
Golang : A Hype or the Future?Golang : A Hype or the Future?
Golang : A Hype or the Future?
 
Preparing for the WebGeek DevCup
Preparing for the WebGeek DevCupPreparing for the WebGeek DevCup
Preparing for the WebGeek DevCup
 
Google's Go Programming Language - Introduction
Google's Go Programming Language - Introduction Google's Go Programming Language - Introduction
Google's Go Programming Language - Introduction
 
A First Look at Google's Go Programming Language
A First Look at Google's Go Programming LanguageA First Look at Google's Go Programming Language
A First Look at Google's Go Programming Language
 
Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020
 
Advantages of golang development services & 10 most used go frameworks
Advantages of golang development services & 10 most used go frameworksAdvantages of golang development services & 10 most used go frameworks
Advantages of golang development services & 10 most used go frameworks
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CD
 

Recently uploaded

%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
chiefasafspells
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 

Recently uploaded (20)

WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 

GDG Morgantown, WV: Write code you can depend on!

  • 1. Write code you can depend on! THE HIDDEN COST OF DEPENDENCIES AND AVOIDING THE LEFT-PAD PROBLEM
  • 3. About Me  Logan Spears  Software Consultant since 2011  Director of Development ShaleApps 2015  Worked on  iOS  Android  Server (mostly go)  Some web  github.com/loganjspears
  • 4. What is the left-pad problem?
  • 5. The left-pad Problem  npm package left-pad was unpublished  left-pad was a dependency of React, Babel, and other major packages.  Left-pad and its dependents were unavailable for 2.5 hours during the outage.
  • 6. npm Strikes Back  npm restored left-pad and other affected packages  They severely restricted un-publishing packages  The day is saved! Total down time was only 2.5 hours. Glad it won’t happen again!
  • 7. Can we review dependencies for a sec?
  • 8. Dependency Pros and Cons Pros  You get to stand on the shoulders of programming giants  Developer productivity is increased  DRY principals are upheld Cons  Cognitive load increased  Abandoned projects are common  Reproducible builds can be more difficult  Surface area is larger for bugs and security vulnerabilities
  • 9. Is there a larger problem here?
  • 10. The Larger Problem  Dependency graphs are extensive  express dependency graph includes:  41 nodes  31 maintainers  “ee-first” contains two functions  “range-parser” contains one function  Not all dependency versions are pinned
  • 11. Review of Semantic Versioning  MAJOR version when you make incompatible API changes,  MINOR version when you add functionality in a backwards- compatible manner, and  PATCH version when you make backwards-compatible bug fixes.  Express dependencies shown to the right. The “~” indicates packages that will automatically absorb patch numbers.
  • 12. Breaking the Build  Can you trust 31 maintainers and countless contributors to push bug free code?  Semantic versioning is not a hard guarantee  You can’t guarantee your dependencies will pin their dependencies’ version numbers.
  • 13. Security Concerns  rimrafall malicious package executing rm -rf /* /.*  npm accounts of dependency maintainers can be compromised  Commonly confused packages e.g. “express” vs “expressjs”
  • 14. I deal with it now. What’s the big deal?
  • 15. npm install != npm install  npm install can produce different results with the same package.json  Heroku, for example, uses npm install for deployments  Best practices advise to exclude dependencies from git  Your dev, CI, and production environment can all act differently  Everything can break when you push to production!  npm.org might be down!
  • 16. Ok fine I care. What should I do?
  • 17. Make your builds reproducible!  Check your dependencies into git  Architecture problems can arise  Have to remove build artifacts  npm shrinkwrap  Build Docker image (shown later)  Reduce your dependencies!
  • 18. Okay you hate npm are we done?
  • 19. Nope. Lets take a look at Go!
  • 20. Out of the box  Typical workflow  Write code  import “github.com/org/dep”  go get  Write more code  Shared $GOPATH  Go is a new awesome language. There can’t be any problems here!
  • 21. go get… Problems  $GOPATH dependency versions can conflict  Dependencies point to master branch which can change  go get can produce different results from the same source  Can I have semantic versioning back?
  • 22. How do I avoid getting shot by that gopher?
  • 23. Hacks prior to Go 1.6  gopkg.in  URL based versioning  Ex. “gopkg.in/yaml.v1”  GB  Alternative go tool  Separate $GOPATH for each project  godep  Embed dependencies in source  Rewrite import paths
  • 24. >= Go 1.6  Vendor support added in Go 1.6  Tools now copy source into vendor directory  godep uses /vendor  Builds now reproducible from just the source  Your build can’t fail if github is down!
  • 25. I am cool and use Docker. Am I covered?
  • 26. Docker w/ Node & npm  Bad  CI and Production using source and Dockerfile instead of image  Good  Saving your image and running tests on it
  • 28. “ ” A little copying is better than a little dependency. ROB PIKE