3. About Me
Logan Spears
Software Consultant since 2011
Director of Development ShaleApps
2015
Worked on
iOS
Android
Server (mostly go)
Some web
github.com/loganjspears
5. The left-pad Problem
npm package left-pad was
unpublished
left-pad was a dependency of React,
Babel, and other major packages.
Left-pad and its dependents were
unavailable for 2.5 hours during the
outage.
6. npm Strikes Back
npm restored left-pad and other
affected packages
They severely restricted un-publishing
packages
The day is saved! Total down time was
only 2.5 hours. Glad it won’t happen
again!
8. Dependency Pros and Cons
Pros
You get to stand on the shoulders of
programming giants
Developer productivity is increased
DRY principals are upheld
Cons
Cognitive load increased
Abandoned projects are common
Reproducible builds can be more
difficult
Surface area is larger for bugs and
security vulnerabilities
10. The Larger Problem
Dependency graphs are extensive
express dependency graph includes:
41 nodes
31 maintainers
“ee-first” contains two functions
“range-parser” contains one function
Not all dependency versions are
pinned
11. Review of Semantic Versioning
MAJOR version when you make
incompatible API changes,
MINOR version when you add
functionality in a backwards-
compatible manner, and
PATCH version when you make
backwards-compatible bug fixes.
Express dependencies shown to the
right. The “~” indicates packages that
will automatically absorb patch
numbers.
12. Breaking the Build
Can you trust 31 maintainers and
countless contributors to push bug
free code?
Semantic versioning is not a hard
guarantee
You can’t guarantee your
dependencies will pin their
dependencies’ version numbers.
13. Security Concerns
rimrafall malicious package executing
rm -rf /* /.*
npm accounts of dependency
maintainers can be compromised
Commonly confused packages e.g.
“express” vs “expressjs”
15. npm install != npm install
npm install can produce different
results with the same package.json
Heroku, for example, uses npm install
for deployments
Best practices advise to exclude
dependencies from git
Your dev, CI, and production
environment can all act differently
Everything can break when you push
to production!
npm.org might be down!
17. Make your builds reproducible!
Check your dependencies into git
Architecture problems can arise
Have to remove build artifacts
npm shrinkwrap
Build Docker image (shown later)
Reduce your dependencies!
20. Out of the box
Typical workflow
Write code
import “github.com/org/dep”
go get
Write more code
Shared $GOPATH
Go is a new awesome language.
There can’t be any problems here!
21. go get… Problems
$GOPATH dependency versions can
conflict
Dependencies point to master branch
which can change
go get can produce different results
from the same source
Can I have semantic versioning back?
23. Hacks prior to Go 1.6
gopkg.in
URL based versioning
Ex. “gopkg.in/yaml.v1”
GB
Alternative go tool
Separate $GOPATH for each project
godep
Embed dependencies in source
Rewrite import paths
24. >= Go 1.6
Vendor support added in Go 1.6
Tools now copy source into vendor
directory
godep uses /vendor
Builds now reproducible from just the
source
Your build can’t fail if github is down!