[Python Dependency Pitfalls] How to set the world on fire

Hey there,

#1 on my list of dependency management pitfalls is there for a good reason:

It lead to a single developer causing mayhem and breaking thousands of open-source projects around the world in one fell swoop.

Here's how it all went down:

A few years back, Azer Koçulu wrote a tiny library he published on Npm, the package repository for NodeJS. (The Python equivalents would be PyPI + pip.)

That "library" contained only 11 lines of code in total, but it was downloaded MILLIONS of times every month of as a dependency in other JavaScript projects.

What Azer's magical "micro library" did, you ask?

It added a tiny piece of functionality that was frequently needed but wasn't a part of the NodeJS standard library:

The ability to pad out the lefthand-side of strings with zeroes or spaces. For example, to format numbers for display.

In Python you'd probably do something like this:

>>> n = '4'
>>> n.zfill(3)
'004'

Anyway, this tiny "left-pad" library was used across many projects, including important applications like Node itself.

One fine day, Azer decided to close his NodeJS package repository account…

Which removed all of the packages associated with it.

And suddenly, "left-pad" was no longer available for download…

Can you guess what happened to the dependency install setup steps on projects using "left-pad?"

Well, they came to a SCREECHING HALT:

App deployments became stuck dead in their tracks. Automated tests stopped working.

And thousands of developers couldn't even RUN their apps locally…

All because "left-pad" had disappeared—and some important build tools required it to work.

It was quite crazy. Even some newspapers reported about the "left-pad incident."

You can imagine that there was a lot of "bruhaha" about the NodeJS packaging system—

But to tell you the truth the *exact same thing* could happen at any time with Python's packaging repository, PyPI.

It's easy to think that pulling in functionality from 3rd party dependencies is always a net benefit.

But every time you're adding an external dependency to your own project you're walking a fine line…

BAD external dependencies can make your stomach churn as a developer or project maintainer.

The people who got burned by the NodeJS "left-pad" incident know what I'm talking about...

On the other hand, a great quality third-party package can save you hours or even days of work.

The challenge is deciding whether a dependency adds value or is just a liability:

>> See step-by-step how to research and make Python dependency decisions (and how to explain them to your team/manager)

— Dan Bader

P.S. There's an important skill that Python dev managers look for in a candidate, but they rarely find it. More on that tomorrow.

Older messages

[Python Dependency Pitfalls] A total mess?

Thursday, November 3, 2022

Hey there, Recently I watched a Pythonista ask for advice on setting up a Python project on his work machine. This new developer had some prior experience with NodeJS and had just started to get his

[PythonistaCafe] Q&A

Thursday, November 3, 2022

Hey there, At this point you should have a pretty good idea of what PythonistaCafe is about and what makes it special. In this email I want to answer some common questions that I get asked about the

[PythonistaCafe] What's in PythonistaCafe for you?

Wednesday, November 2, 2022

Hey there, A couple of years ago I'd become quite interested in martial arts. Hours upon hours of watching "The Karate Kid" growing up must've taken their toll on me... And so, I

[Sublime + Python Setup] Sublime Text is just a blank canvas…

Tuesday, November 1, 2022

Hey there, When I became serious about optimizing Sublime Text with plugins, it was hard for me to separate the wheat from the chaff. Without a real guideline or roadmap I resorted to installing *any*

[PythonistaCafe] Why PythonistaCafe exists

Tuesday, November 1, 2022

Hey there, In one of my last emails I talked about how some online communities in the tech space devolve over time and turn into cesspools of negativity. This relates directly to how and why I started

Digest #89: Pipeline as Code 🔥

Monday, February 6, 2023

Digest #89: Pipeline as Code 🔥 #89: Pipeline as Code This week, I have a lot of exciting topics for you. To start off, we cover the basics of effective dashboard design and how you can create a Grafana

Max Q - Space raise

Monday, February 6, 2023

TechCrunch Newsletter TechCrunch logo Max Q logo By Aria Alamalhodaei Monday, February 06, 2023 Hello and welcome back to Max Q! In this issue: Voyager Space's new funding Orbital Sidekick's

JSK Daily for Feb 6, 2023

Monday, February 6, 2023

JSK Daily for Feb 6, 2023 View this email in your browser A community curated daily e-mail of JavaScript news Maximize Your React Skills: Build a To-Do List App from Start to Finish (with TypeScript +

Get free scholarship to INDUSTRY: The Product Conference

Monday, February 6, 2023

Sometimes, the people who would benefit most from attending conferences may not be in the room — and we want to help change that for the upcoming European edition (March 20-22, 2023) and Global edition

Daily Coding Problem: Problem #1015 [Hard]

Monday, February 6, 2023

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Google. In a directed graph, each node is assigned an uppercase letter. We define a

The Smarter A.I. Powered No-Code Platform

Monday, February 6, 2023

Blaze.tech is the fast growing AI powered no-code platform that's revolutionizing the way teams build web apps and tools. Blaze enables its customers to build and launch apps in minutes,

Visualized | Most Grammy-Winning Artists of All-Time + Music Consumption in 2022 🎤

Monday, February 6, 2023

After last night's Grammy Awards, we look at which artist has won the most all-time, along with global music consumption habits in general. View Online | Subscribe Presented by: Food Security is a

Wi-Fi 6E: What Is It, and How Is It Different From Wi-Fi 6?

Monday, February 6, 2023

Did You Know?: The sound of a whip cracking is a mini sonic boom. The loop traveling along the length of the whip continues to gain speed until it reaches the speed of sound and breaks the sound

Tech for a sustainable future: The challenges and opportunities ahead

Monday, February 6, 2023

Now could be a great time to trade in your smartphone: Here's why... ZDNET ZDNET Insights February 6, 2023 placeholder Tech for a sustainable future: The challenges and opportunities ahead We need

Leveraging AI across your business, new approaches to customer acquisition and more this week at TechCrunch | February 6

Monday, February 6, 2023

Disrupt 2-for-1 pre-sale, audience choice voting and more... This week we have a couple of online events starting on Wednesday with TechCrunch Live when Cube's CEO and founder, Christina Ross, will