Wed 26 January 2022

Protecting your project from dependency access problems

The dependency problem

Almost all software projects large or small rely on dependencies — software that isn’t part of the project itself. The use of dependencies is widespread because it saves repeating development work someone else has already performed and generously shared.

The problem with introducing these dependencies, is that part of your project now exists outside of your control. If the dependencies disappear and you don’t have a backup, then you may not be able to build your project at all. This actually happened in a big way in 2016 when “Leftpad” was removed from npm and caused a large number of services that relied on this small piece of code, often inadvertently through dependencies within dependencies, to stop working.

There are a variety of other reasons you may need access to the source code that makes up your dependencies, for example:

  • You need to debug any misbehaviour coming from one of the dependencies.
  • You need to comply with licensing terms: a common open-source licensing term is that source code is available upon request.
  • You need to provide a complete manifest of everything that goes into a system.

You might be wondering, if your dependencies are voluntarily shared, why would they disappear? Well, even large and established platforms are not immune to downtime — in October 2018, GitHub was down for 12 hours. Alternatively, software could be relocated to a new server or maintainers of a particular piece of software could choose to stop supporting it and take it down permanently. In the last case, while it's prudent to avoid using unsupported software, it may be necessary to keep the build going for a short amount of time.

The mirroring solution

A common solution to the problem of disappearing dependencies is to use a mirror. This is a second source of the required software that can be accessed if the primary one is unavailable. Many build systems such as BuildStream allow you to add mirrors into your build scripts so you can supply multiple sources for a single resource.

Maintenance of these mirrors can be a daunting task, especially for large software projects with hundreds of dependencies. However, choosing to not mirror your dependencies is a dangerous thing. While a lot of build servers will cache resources that have been downloaded, it will not be possible to run a clean build or build on a new machine that doesn't have access to that cache. This can be a major barrier to testing and deployment of your software project. The more dependencies you have, the bigger the risk since it's more likely one won't be available.

For small projects, it may be tempting to manage your mirrors manually. Manual management of mirrors can easily become a burden as there are tasks that will have to be done regularly. For example, it's important to check that the location of the original source code stays the same and that versions are the same.

There are some existing solutions available for mirror management but none of these are ideal — either being proprietary and costly, or unable to handle multiple version control systems as well as commonly used individual files such as tarballs.

Engineers at Codethink discuss existing solutions and explore a free and open-source software solution in the following white paper.

Receive more information on Long Term Maintainability

Fill in the form below to receive a downloadable white paper.

Other Content

Get in touch to find out how Codethink can help you +44 161 660 9930

Contact us