The Dependency Hell

February 17, 2022 4 Min Read

Share It:


Hola people! 👋

Did you know there was a time in the past where all the features of a company’s projects were built from scratch?? Now-a-days, every community, company or developer is dependent on third-parties or other projects/libraries (a.k.a dependencies) to build their own project quickly and more efficiently, which not only brings new features and modules to your project but also a dreadful thing, i.e heavy bundling. As I would call it the (..drum rolls)

THE DEPENDENCY HELL🔥

 

node-modules

If you don’t believe me you can check any JS Framework projects by simply importing their package.json files to NPMGraph. This will show you all the different node packages that are connected which you didn't know were part of the project.


Definitions

Few terms to make your reading more understandable:

NPM - It is the world’s largest software registry, which is used to maintain and manage packages. It is also a place where any developer can outsource their project to provide new services.

Dependencies (a.k.a deps) - In npm, it is a package/module which requires projects to make a particular function work and also required during production. They are stored in your node_modules folder.

DevDependencies (a.k.a devDeps) - They are similar to Dependencies, used specifically for development purposes like bundling packages or testing libraries and DO NOT contribute to the production build.

PeerDependencies (a.k.a peerDeps) - As you know your projects are dependent on 3rd party packages (dependencies) similarly, these 3rd party packages are also dependent on their own dependencies, such deps are called peerDependencies.

Now that there's enough generalized information, let's proceed with the article.


Q. Do I need to maintain my peerDependencies? Should I worry about the size of my node_modules? Do I need to zip my modules?

Ans. Yes. Sí. Oui.

Reason: It's every developer's job to maintain and take care of their dependencies. It can either be for better performance, efficient use of storage space, reduce latencies or to maintain stability. However, it’s not a good practice to depend on several optimization tools such as tree shaking libraries or bundle managers. Doing so will help developers understand version control, how package resolutions work, avoid security issues and also decrease build time in development.


How to manage your dependencies

Few recommendations from my on-going research:

  1. Bump dependencies in a new branch if the below events exist:
    (i) Requires an update due to security issues in the peerDeps. (ii) The branch has no breaking changes. (iii) Compatible with the required node version
  2. Use [npm audit] and [npm audit fix] for reviewing and fixing security issues.
  3. Check to see if the dependency package can be substituted with a smaller size package or its native version. (BundlePhobia)
  4. Do not install dependencies where contributors have not maintained it for longer than a year or so.
  5. Import packages only when you're using at least 60%>= of that package’s functionality. If not, do a manual tree shake by locating and importing the file where the function exists.
  6. Use automated dependency manager services like Snyk and Dependabot.
  7. Use websites like NPM graph, or libraries like depcheck, webpack analyser to gain more insights about the installed modules and the dependency tree.
  8. Two more cool libraries are node-prune and ModClean. Both of them have the same purpose, to remove everything that is not necessary for a package, such as markdown, typescript source files, and so on.
  9. Push or add dependencies to devDependencies if you think they won't be required for production purposes, eg. testing libraries such as jest or JS/CSS loaders.

Hope the above content boosts your knowledge about managing your dependencies.

Thank you for reading & Sayonara!

Steven Fernandes

Intern - Frontend at DRIP Capital