[Python Dependency Pitfalls] How to set the world on fire

Hey there,

#1 on my list of dependency management pitfalls is there for a good reason:

It lead to a single developer causing mayhem and breaking thousands of open-source projects around the world in one fell swoop.

Here's how it all went down:

A few years back, Azer Koçulu wrote a tiny library he published on Npm, the package repository for NodeJS. (The Python equivalents would be PyPI + pip.)

That "library" contained only 11 lines of code in total, but it was downloaded MILLIONS of times every month of as a dependency in other JavaScript projects.

What Azer's magical "micro library" did, you ask?

It added a tiny piece of functionality that was frequently needed but wasn't a part of the NodeJS standard library:

The ability to pad out the lefthand-side of strings with zeroes or spaces. For example, to format numbers for display.

In Python you'd probably do something like this:

>>> n = '4'
>>> n.zfill(3)
'004'

Anyway, this tiny "left-pad" library was used across many projects, including important applications like Node itself.

One fine day, Azer decided to close his NodeJS package repository account…

Which removed all of the packages associated with it.

And suddenly, "left-pad" was no longer available for download…

Can you guess what happened to the dependency install setup steps on projects using "left-pad?"

Well, they came to a SCREECHING HALT:

App deployments became stuck dead in their tracks. Automated tests stopped working.

And thousands of developers couldn't even RUN their apps locally…

All because "left-pad" had disappeared—and some important build tools required it to work.

It was quite crazy. Even some newspapers reported about the "left-pad incident."

You can imagine that there was a lot of "bruhaha" about the NodeJS packaging system—

But to tell you the truth the *exact same thing* could happen at any time with Python's packaging repository, PyPI.

It's easy to think that pulling in functionality from 3rd party dependencies is always a net benefit.

But every time you're adding an external dependency to your own project you're walking a fine line…

BAD external dependencies can make your stomach churn as a developer or project maintainer.

The people who got burned by the NodeJS "left-pad" incident know what I'm talking about...

On the other hand, a great quality third-party package can save you hours or even days of work.

The challenge is deciding whether a dependency adds value or is just a liability:

>> See step-by-step how to research and make Python dependency decisions (and how to explain them to your team/manager)

— Dan Bader

P.S. There's an important skill that Python dev managers look for in a candidate, but they rarely find it. More on that tomorrow.

Older messages

[Python Dependency Pitfalls] A total mess?

Monday, September 12, 2022

Hey there, Recently I watched a Pythonista ask for advice on setting up a Python project on his work machine. This new developer had some prior experience with NodeJS and had just started to get his

[Sublime + Python Setup] The Ctrl+s "Heisenbug"

Monday, September 12, 2022

"What the **** is going on?!" I heard Keith yell. Returning from my lunch break and in a helpful mood I grabbed my coffee mug and shuffled over to my coworker's desk. "What's

[Python Mastery] What Pythonistas can learn from bestselling authors

Sunday, September 11, 2022

Hey there, I just finished reading Stephen King's "On Writing." It's a great little book where he shares some of the writing advice and stories he's picked up over the course of

[Python Dependency Pitfalls] The Iceberg

Sunday, September 11, 2022

Hey there, The other day I read this quote from a Python developer that made me stop and think: "As a noob with a little programming knowledge already, I've found setting up and installing

[Sublime + Python Setup] How to become a happier & more productive Python dev

Sunday, September 11, 2022

Hey there, I really struggled with setting up an effective development environment as a new Python developer. It was difficult to build the right habits and to find a set of tools I enjoyed to use.

How Do QR Codes Work?

Tuesday, October 4, 2022

Read in Browser Logo for Review Geek October 4, 2022 Let's talk about QR Codes. You know, the funny little squiggly boxes that you'll see on commercials, restaurant windows, and plant signs.

What to expect from Google’s Pixel 7 event

Tuesday, October 4, 2022

The Morning After Now available on your smart speaker and wherever you get your podcasts Apple Podcasts | Spotify | Google Play | iHeart Radio It's Tuesday, October 04, 2022. Google's big Pixel

🎆🌆 Edge#231: Text-to-Image Synthesis with GANs

Tuesday, October 4, 2022

In this issue: we explore Text-to-image synthesis with GANs; we discuss Google's XMC-GAN, a modern approach to text-to-image synthesis; we explore NVIDIA GauGAN2 Demo. Enjoy the learning! 💡 ML

Apple's ad empire 📱, automating your job 👨‍💻, world's largest camera 📷

Tuesday, October 4, 2022

Apple's App Tracking Transparency feature wreaked havoc on the global ad market. Sign Up | View Online | Sponsor Daily Update 2022-10-04 Invest in venture capital with Cathie Wood. (Sponsor) Famed

DeveloPassion's Newsletter - Month in review

Tuesday, October 4, 2022

Hello everyone! I'm Sébastien Dubois, your host. You're receiving this email because you signed up fo DeveloPassion's Newsletter - Month in review By Sébastien Dubois • Issue #87 • View

New Blogs on ThomasMaurer.ch for 10/04/2022

Tuesday, October 4, 2022

View this email in your browser Thomas Maurer Cloud & Datacenter Update This is the update for blog posts on ThomasMaurer.ch. Clouded – Uncovering The Culture Of Cloud (2022) Documentary By Thomas

Tell HN: A disabled 40-year-old person founded a startup and makes a living — The PS5 Has Been Jailbroken — and Postgres WASM

Monday, October 3, 2022

Issue #909 — Top 20 stories of October 04, 2022 Issue #909 — October 04, 2022 You receive this email because you are subscribed to Hacker News Digest. You can open it in the browser if you prefer. 1

Vice Society hackers post 500GB of data stolen from LA school district to dark web

Monday, October 3, 2022

TechCrunch Newsletter TechCrunch logo The Daily Crunch logo By Christine Hall and Haje Jan Kamps Monday, October 03, 2022 Oc-flippin-tober? You've got to be mock-tobering us. It's a sobering

JSK Daily for Oct 3, 2022

Monday, October 3, 2022

JSK Daily for Oct 3, 2022 View this email in your browser A community curated daily e-mail of JavaScript news What Is a Slot in Vue.js and How To Use It - Upmostly When we're building a front end

Max Q - Hubble hubble, toil and trouble

Monday, October 3, 2022

TechCrunch Newsletter TechCrunch logo Max Q logo By Aria Alamalhodaei Monday, October 03, 2022 Hello and welcome back to Max Q. I hope all of our Florida readers stayed safe during Hurricane Ian —