We got used to installing a new package, using it and shipping it, pretending it’s production-ready. But there’s way more that comes with it.
Before adding any dependencies, there are some things you must check:
- Is it still maintained? If not, what are the alternatives?
- When was the last time this package was updated?
- More than a year?
- How many issues are open?
- Check the issues, see if anything major is pending (you may save a couple of hours, just here)
- Are the pull requests being reviewed?
- Does it have tests?
- Quickly look around the code, try to make sense of it. If you can’t, what will you do when you need to fix a dependency issue?
- You may find it is not doing much at all, and you may be better off just implementing it yourself. Do you remember the JS npm left-pad incident?
- Learn something new from that package; you have nothing to lose here.
Because you should Own your contributions, any dependencies you add are part of your contribution.
Part of Tips for Software Engineers
Be aware of typosquatting attack.
Attackers upload malicious packages with names similar to legit ones (like reqeusts instead of requests), hoping you’ll mistype it and install the bad one.
Make sure you are installing the correct package, find the source code, and follow the instructions from the source code. Avoid following instructions directly from hosting services (E.g., RubyGems.org, pip.org or npmjs.com)