Most applications are rarely, if ever, completely custom solutions.
Rather, they are complex builds and dependent on a range of other software assets, frameworks, and repositories to compile and run.
It’s not always obvious which dependencies a software uses. The errors, issues and security flaws that occur in dependencies will also be inherent in your software. That’s why dependency management is vital for successful and reliable software.
In this article, we look at:
- What dependency management is.
- Why your team needs an air-tight process for managing dependencies.
- What that process should look like.
What Is Dependency Management?
Software builds are typically dependent on other software assets to compile and run. These assets are called dependencies.
There are two types of software dependencies, as the team at Snyk points out:
- Direct dependencies are the libraries your code calls directly to use.
- Transitive dependencies are the libraries your dependencies call. In other words, they are dependencies of dependencies.
“Both types of dependencies require careful management to control the risks involved,” the Snyk team writes. “Transitive or indirect dependencies require extra consideration because it’s not immediately obvious that they’re being used in an application.”
Dependency management is the system of processes, people and tools development teams use to record, track and manage these dependencies.
Why Is Dependency Management Important?
The integrated nature of modern software makes it essential for development teams to record and manage dependencies.
While dependencies make software “more secure and less error-prone,” Tammy Xu at BuiltIn writes, their use means developers may not have a clear view of everything that’s in their codebase. “And since dependencies are themselves software, they are also vulnerable to mistakes and security holes, which are then inherited by software that’s using them.”
Dependency problems can also impact the reliability of software, writes Stephen J. Bigelow, senior technology editor at TechTarget.
“In fact, when dependencies are missing, outdated or incompatible, they can prevent proper installation, stop the software from running, spawn unexpected exceptions, cause crashes or otherwise impair performance. Such conditions result in more support calls, user dissatisfaction and depressed product adoption.”
What Do Good Dependency Management Practices Look Like?
When assessing dependency management as part of a DevOps assessment, we analyze the people, processes and tools involved.
Software engineers should know how to leverage the right libraries, components and frameworks when creating custom software. They should also take steps to manage the versions of the libraries and frameworks using version control best practices.
Development teams should record dependencies when libraries, components and frameworks get used. Where dependencies are not recorded, engineers should have a process for recording and managing dependencies using an internal tool.
Alongside custom internal platforms, there are several well-known dependency management tools development teams can use, including Nuget, Nexus and NPM. Where possible, teams should also take steps to automate the dependency management process.
“Maintaining your dependencies can be extremely time sensitive when it comes to vulnerabilities and bug fixes,” writes Rhys Arkins, VP of product at Mend. “You can save time and reduce your exposure by automating dependency updates in your software projects and have your dependencies updated when new versions are released.”
How to Assess Dependency Management
Given the importance of dependency management to software quality and reliability, being able to accurately assess your company’s practices is essential.
The best way to do so is through a comprehensive DevOps assessment that analyzes the people, processes and tools involved with dependency management, and takes a broader look at how your team deploys continuous integration and automated builds.
At Kingsmen Software, we provide comprehensive DevOps assessments to established teams and investors looking to complete due diligence before making an acquisition. Find out more by speaking to one of our experts.