By adding dependencies to your project you are making your project dependent.
Some of the related modules didn’t work anymore, so I delayed the React update, hoping the other modules would be updated as well in the next week or so. A few weeks later I figured out some of the related modules were not maintened anymore and had a ton of open pull requests and issues. Now I had to fork those modules to make the nessecary changes or find a similar maintained module so I could update React to the latest version in my project. It did cost me quite some time to update React and to get my project running again.
I have also had updates which were breaking the semantic versioning rules (breaking changes in patch/minor updates). And bugs ofcourse... Which are usually fixed pretty fast though :)
All these situations were a lesson for me; by adding dependencies to your project you are making your project dependent... (duh). This sounds really obvious, but I never thought like that when running
yarn add .../
npm install .... And by adding module related modules you could and up in a hostage-like scenario if you don’t watch out. Like in my example, where I could not update React, because of other modules which still required an older version of React.
Now I think about every single dependency which I add to my project. I always ask myself these questions:
- Do I really need this module?
- Do I want my project to be dependent on this module?
- Is this module actively maintained?
- Do I understand the source of this module? (for small modules, in case I need to fork it)
- Do the added benefits of this module outweigh the added risks?
- How much time & effort does it cost to build (or copy and modify) this module and does that outweigh the risk of adding this dependency?
- How many dependencies does this module have and are those “okay” too?
I am now keeping my dependencies as minimal as possible following the above guidelines.
Keeping my project up-to-date is still hard sometimes, but manageable. I have some more own code though, but I know it stays the same and it should remain working like expected.
Another lesson I learned the hard way, is that every dependency you add is also an added risk, and every update of a dependency may break your app. You might prevent most of these issues with automated tests, but unfortunately sometimes a bug slips through into your production environment. It is impossible to prevent this from happening (in my experience), but one of the things you can do to reduce this risk is keeping the overall dependency low.
It might seem quick at the beginning of the project to glue some modules together and to get the project live fast. But you could end up paying the price for this faster then you think if you are not careful (like I was not).
I wrote this blog because some of my colleagues are making the same mistakes like I did (with the same consequences). So there might be more developers out there which are doing this as well. I hope that this blog might help them to be more aware about adding dependencies like I was.
Buying me a coffee will help me to finance this hobby project and to keep me awake ofcourse :)