DEV Community

loading...

Building cloud native apps: Dependencies

lukaszbudnik profile image Łukasz Budnik Updated on ・2 min read

Dependencies management for cloud native apps

Dependency management is very important aspect of every application lifecycle management. It has its own chapter in the twelve-factor app manifest: https://www.12factor.net/dependencies.

It is a very good summary of how to approach dependency management in your project (at all levels including OS dependencies). I would like to throw in my two cents and focus more on the software development part.

Keeping dependencies up to date

First, make sure that the build tool which you use has functionality which can help you keep up with your dependencies (either out of the box or via plugins). A project comprising of several services can have tens (or even hundreds) of external dependencies. Making sure you are always up to date is maybe not a super complex but (let's face it) a rather dull task. This task should be automated. Dependencies should be upgraded automatically every week. Followed by a full suite of unit and integration tests. Minor version upgrades don't break the API and what is very important they contain bug fixes and security updates.

Scanning dependencies for security vulnerabilities

Speaking of security updates. You should scan your code on a regular basis for security vulnerabilities. You can use projects like Retire.js or OWASP Dependency-Check. There are also fully featured multi-platform multi-language solutions like Dependency Track.

If you are using GitHub as a codebase repository you get some security features out of the box. GitHub's Dependabot will scan your project and let you know if there are security vulnerabilities in your dependencies. What is more Dependabot can automatically create a pull request with a bumped version for you. There are more security-related features in GitHub. For a complete list see https://github.com/features/security.

Checking dependencies' licenses for compliance

A very important step. Check licenses for all your dependencies. Check licenses for both the back-end (maven, gradle, npm, go, gems, ...) and the front-end (npm, grunt, yarn, ...). Prepare a list of approved licenses and fail all pull requests when new dependencies with new licenses are added. You can review new licenses and if you accept them, add them to the approved list. If not, reject the pull and pick-up another library.

Share the love

There are a lot of open-source foundations, government institutions, startups, tech giants, and even banks that open-source their work. Every project that I worked on used open-source technologies. And I'm pretty sure so do you.
If you found a bug, implemented an enhancement, or maybe even added a brand new feature - please contribute back. Every contribution counts and every contribution is making the difference!

If you're on another open-source level, you may even consider sharing your own project. That's how open-source community is changing the world around us. Share the love!

Discussion (0)

pic
Editor guide