All About Dependencies

Rate this content

The benefit of software dependencies is that they allow developers to deliver software faster building on previous code. Dependencies are integral part of the software development cycle and they will be used at different stages i.e. development, execution or testing. Yet dependencies not only may introduce risks that are often overlooked, but their fast resolution and compliance with license types must be taken into consideration. In this extremely fast session we will see some of the advantages of using a mature, robust artifact manager for npm, bower and other package managers.

8 min
24 Mar, 2022


Sign in or register to post your comment.

Video Summary and Transcription

Today's presentation discusses the role of dependencies in software development, including different types of dependencies and their impact on development and maintenance. The talk also highlights incidents related to software dependencies, such as naming disputes and compromised credentials, which have led to system failures and security breaches. Efforts are being made to address these issues with tools like X-Ray and scorecards that provide analysis and insights for improvement.

Available in Español

1. Introduction to Software Dependencies

Short description:

Today's presentation is about dependencies in software development. Dependencies are an integral part of the development cycle, used at different stages. There are different types of dependencies, such as framework libraries, package modules, and resources. Understanding the degree of need for each dependency helps define update canons, migration cost, and cleanup efforts. However, adding a dependency outsources the development and maintenance work to others, exposing our programs to potential failures and flaws.

Thank you very much for being here. My name is Xuxa Ruiz. I'm from Mexico living in Switzerland. I'm a Java Champion. I work for a company, Jfrog.

Today's presentation it's about a key part of our software development process, dependencies. We don't need to reinvent the wheel every time we want to achieve some new level of functionality or deliver software faster. We want and we do reuse software written by others every day, software dependencies. And they are integral part of the software development cycle. They will be used at different stages, development, runtime or execution and testing. But they are not all the same.

So I'm going to present you with two statements and you will tell me if they are true or false. Dependencies are collections containing high-quality tested code that provides functionality that require significant expertise to develop. True. Dependency managers like NPM have made it possible that almost trivial functionality can be packaged and published. True. So these are both sides of the spectrum in terms of how the functionality is provided by dependencies.

So we know that there are different types of dependencies. For this super quick talk, I'm only going to mention them. Framework libraries, package modules, and resources. And we have a very clear example in Angular, which is a platform, and React, which is a library. So they are already telling you the level of integration between different functional components and how pin-united they are. And on the other side, this is a list of NPM micro-packages that are very useful.

So we have discussed that there are different types of dependencies, so with this we can also start thinking about our degree of need, or dependency level. So we can create a map of what of our dependencies are crucial, important, cosmetic, easily changed, or superfluous. And all this will help us to define the canons of update, the migration cost, or cleanup efforts. And these are really important during the development process and under normal circumstances, when the dependencies are okay. But things go wrong and they usually go wrong. So adding a dependency outsources the work of developing that code, designing, writing, testing, debugging, and maintaining to someone else, often their unknown programmer. And using that specific code exposed our programs to all failures and flaws that there will be in our dependency.

2. Software Dependency Incidents

Short description:

In the world of software dependencies, there have been various incidents that highlight the potential risks. Examples include disputes over naming, compromised credentials, malicious releases, and packages containing encrypted payloads. These incidents have caused system failures, compromised security, and disrupted applications. However, efforts are being made to address these issues, with tools like X-Ray and scorecards providing analysis and insights for improvement.

For example, in NPM, in March 2016, there was a dispute between the naming. It was unpublished three hours later. NPM Registry published it again, and even changed its policies. In February 2018, there was a problem with NPM versions 5.7.0. And in Linux, when you run the sudo npm, it changed the ownership of the system file. So they broke the machine. In July 2018, the NPM credentials of a maintainer of Estlin-Scope were compromised. So there was a malicious release of Estlin-Scope in version 3.7.2. And that copied the NPM credentials of the machine that were running it and upload them. In November 2018, it was discovered that a malicious package had been added as a dependency to version 3.3.6 of EventStream. This was a flat mount string and contained encrypted payloads that stole bitcoins from certain applications. In April 2020, a small package called spromise made a lot of serverless applications go down. In January 2022, I think you all know that the maintainer of colors pushed changes printing garbage text in an infinite loop. And that was a problem. More recently, companies like mine, jfrog, is actually constantly updating and sending information about malicious npm packages that have appeared. So those are some of the most recent ones.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

React Advanced Conference 2021React Advanced Conference 2021
19 min
Automating All the Code & Testing Things with GitHub Actions
Top Content
Code tasks like linting and testing are critical pieces of a developer’s workflow that help keep us sane like preventing syntax or style issues and hardening our core business logic. We’ll talk about how we can use GitHub Actions to automate these tasks and help keep our projects running smoothly.
DevOps.js Conf 2022DevOps.js Conf 2022
33 min
Fine-tuning DevOps for People over Perfection
Demand for DevOps has increased in recent years as more organizations adopt cloud native technologies. Complexity has also increased and a "zero to hero" mentality leaves many people chasing perfection and FOMO. This session focusses instead on why maybe we shouldn't adopt a technology practice and how sometimes teams can achieve the same results prioritizing people over ops automation & controls. Let's look at amounts of and fine-tuning everything as code, pull requests, DevSecOps, Monitoring and more to prioritize developer well-being over optimization perfection. It can be a valid decision to deploy less and sleep better. And finally we'll examine how manual practice and discipline can be the key to superb products and experiences.
DevOps.js Conf 2022DevOps.js Conf 2022
27 min
Why is CI so Damn Slow?
We've all asked ourselves this while waiting an eternity for our CI job to finish. Slow CI not only wrecks developer productivity breaking our focus, it costs money in cloud computing fees, and wastes enormous amounts of electricity. Let’s take a dive into why this is the case and how we can solve it with better, faster tools.
DevOps.js Conf 2022DevOps.js Conf 2022
31 min
The Zen of Yarn
In the past years Yarn took a spot as one of the most common tools used to develop JavaScript projects, in no small part thanks to an opinionated set of guiding principles. But what are they? How do they apply to Yarn in practice? And just as important: how do they benefit you and your projects?
In this talk we won't dive into benchmarks or feature sets: instead, you'll learn how we approach Yarn’s development, how we explore new paths, how we keep our codebase healthy, and generally why we think Yarn will remain firmly set in our ecosystem for the years to come.
DevOps.js Conf 2024DevOps.js Conf 2024
25 min
Atomic Deployment for JS Hipsters
Deploying an app is all but an easy process. You will encounter a lot of glitches and pain points to solve to have it working properly. The worst is: that now that you can deploy your app in production, how can't you also deploy all branches in the project to get access to live previews? And be able to do a fast-revert on-demand?Fortunately, the classic DevOps toolkit has all you need to achieve it without compromising your mental health. By expertly mixing Git, Unix tools, and API calls, and orchestrating all of them with JavaScript, you'll master the secret of safe atomic deployments.No more need to rely on commercial services: become the perfect tool master and netlifize your app right at home!

Workshops on related topic

DevOps.js Conf 2022DevOps.js Conf 2022
152 min
MERN Stack Application Deployment in Kubernetes
Deploying and managing JavaScript applications in Kubernetes can get tricky. Especially when a database also has to be part of the deployment. MongoDB Atlas has made developers' lives much easier, however, how do you take a SaaS product and integrate it with your existing Kubernetes cluster? This is where the MongoDB Atlas Operator comes into play. In this workshop, the attendees will learn about how to create a MERN (MongoDB, Express, React, Node.js) application locally, and how to deploy everything into a Kubernetes cluster with the Atlas Operator.
React Summit 2023React Summit 2023
88 min
Deploying React Native Apps in the Cloud
Deploying React Native apps manually on a local machine can be complex. The differences between Android and iOS require developers to use specific tools and processes for each platform, including hardware requirements for iOS. Manual deployments also make it difficult to manage signing credentials, environment configurations, track releases, and to collaborate as a team.
Appflow is the cloud mobile DevOps platform built by Ionic. Using a service like Appflow to build React Native apps not only provides access to powerful computing resources, it can simplify the deployment process by providing a centralized environment for managing and distributing your app to multiple platforms. This can save time and resources, enable collaboration, as well as improve the overall reliability and scalability of an app.
In this workshop, you’ll deploy a React Native application for delivery to Android and iOS test devices using Appflow. You’ll also learn the steps for publishing to Google Play and Apple App Stores. No previous experience with deploying native applications is required, and you’ll come away with a deeper understanding of the mobile deployment process and best practices for how to use a cloud mobile DevOps platform to ship quickly at scale.
DevOps.js Conf 2022DevOps.js Conf 2022
13 min
Azure Static Web Apps (SWA) with Azure DevOps
Azure Static Web Apps were launched earlier in 2021, and out of the box, they could integrate your existing repository and deploy your Static Web App from Azure DevOps. This workshop demonstrates how to publish an Azure Static Web App with Azure DevOps.
DevOps.js Conf 2022DevOps.js Conf 2022
163 min
How to develop, build, and deploy Node.js microservices with Pulumi and Azure DevOps
The workshop gives a practical perspective of key principles needed to develop, build, and maintain a set of microservices in the Node.js stack. It covers specifics of creating isolated TypeScript services using the monorepo approach with lerna and yarn workspaces. The workshop includes an overview and a live exercise to create cloud environment with Pulumi framework and Azure services. The sessions fits the best developers who want to learn and practice build and deploy techniques using Azure stack and Pulumi for Node.js.