[Python Dependency Pitfalls] How to set the world on fire

Hey there,

#1 on my list of dependency management pitfalls is there for a good reason:

It lead to a single developer causing mayhem and breaking thousands of open-source projects around the world in one fell swoop.

Here's how it all went down:

A few years back, Azer Koçulu wrote a tiny library he published on Npm, the package repository for NodeJS. (The Python equivalents would be PyPI + pip.)

That "library" contained only 11 lines of code in total, but it was downloaded MILLIONS of times every month of as a dependency in other JavaScript projects.

What Azer's magical "micro library" did, you ask?

It added a tiny piece of functionality that was frequently needed but wasn't a part of the NodeJS standard library:

The ability to pad out the lefthand-side of strings with zeroes or spaces. For example, to format numbers for display.

In Python you'd probably do something like this:

>>> n = '4'
>>> n.zfill(3)
'004'

Anyway, this tiny "left-pad" library was used across many projects, including important applications like Node itself.

One fine day, Azer decided to close his NodeJS package repository account…

Which removed all of the packages associated with it.

And suddenly, "left-pad" was no longer available for download…

Can you guess what happened to the dependency install setup steps on projects using "left-pad?"

Well, they came to a SCREECHING HALT:

App deployments became stuck dead in their tracks. Automated tests stopped working.

And thousands of developers couldn't even RUN their apps locally…

All because "left-pad" had disappeared—and some important build tools required it to work.

It was quite crazy. Even some newspapers reported about the "left-pad incident."

You can imagine that there was a lot of "bruhaha" about the NodeJS packaging system—

But to tell you the truth the *exact same thing* could happen at any time with Python's packaging repository, PyPI.

It's easy to think that pulling in functionality from 3rd party dependencies is always a net benefit.

But every time you're adding an external dependency to your own project you're walking a fine line…

BAD external dependencies can make your stomach churn as a developer or project maintainer.

The people who got burned by the NodeJS "left-pad" incident know what I'm talking about...

On the other hand, a great quality third-party package can save you hours or even days of work.

The challenge is deciding whether a dependency adds value or is just a liability:

>> See step-by-step how to research and make Python dependency decisions (and how to explain them to your team/manager)

— Dan Bader

P.S. There's an important skill that Python dev managers look for in a candidate, but they rarely find it. More on that tomorrow.

Older messages

[Sublime + Python Setup] How to become a happier & more productive Python dev

Tuesday, June 29, 2021

Hey there, I really struggled with setting up an effective development environment as a new Python developer. It was difficult to build the right habits and to find a set of tools I enjoyed to use.

[PythonistaCafe] Q&A

Tuesday, June 29, 2021

Hey there, At this point you should have a pretty good idea of what PythonistaCafe is about and what makes it special. In this email I want to answer some common questions that I get asked about the

[Python Dependency Pitfalls] A total mess?

Tuesday, June 29, 2021

Hey there, Recently I watched a Pythonista ask for advice on setting up a Python project on his work machine. This new developer had some prior experience with NodeJS and had just started to get his

[PythonistaCafe] What's in PythonistaCafe for you?

Monday, June 28, 2021

Hey there, A couple of years ago I'd become quite interested in martial arts. Hours upon hours of watching "The Karate Kid" growing up must've taken their toll on me... And so, I

[PythonistaCafe] Why PythonistaCafe exists

Sunday, June 27, 2021

Hey there, In one of my last emails I talked about how some online communities in the tech space devolve over time and turn into cesspools of negativity. This relates directly to how and why I started

You Might Also Like

Software Testing Weekly - Issue 261

Wednesday, March 12, 2025

New AI solutions for testing 👀 View on the Web Archives ISSUE 261 March 12th 2025 COMMENT Welcome to the 261st issue! I have nothing more to add to the genuinely great news that came out recently. I

JSK Daily for Mar 11, 2025

Tuesday, March 11, 2025

JSK Daily for Mar 11, 2025 View this email in your browser A community curated daily e-mail of JavaScript news How to Enforce Type Safety in FormData with TypeScript When working with the FormData

Binary Data, Tail Calls, Pickles, and More

Tuesday, March 11, 2025

Bytes Objects: Handling Binary Data in Python #672 – MARCH 11, 2025 VIEW IN BROWSER The PyCoder's Weekly Logo Bytes Objects: Handling Binary Data in Python In this tutorial, you'll learn about

Shaking The Wasp’s Nest 🐝

Tuesday, March 11, 2025

How Gamergate swarmed into our online lives. Here's a version for your browser. Hunting for the end of the long tail • March 11, 2025 Today In Tedium: You probably have noticed, just like me, that

Daily Coding Problem: Problem #1714 [Easy]

Tuesday, March 11, 2025

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Google. You are given an N by N matrix of random letters and a dictionary of words. Find

Mapped | The State of Democracy Around the World 🌐

Tuesday, March 11, 2025

After a historic election year, we show the state of democracy worldwide as it declines to its lowest level in two decades. View Online | Subscribe | Download Our App NEW REPORT: The Age of Data >

Stories, Free Tool & CRM Template

Tuesday, March 11, 2025

Notion stories, smart tools, and a free template to organize your contacts 🔥 ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

LW 173 - How to become a Shopify Developer in 2025

Tuesday, March 11, 2025

How to become a Shopify Developer in 2025 ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ Shopify Development news and articles Issue 173 - 03/11

This free AI tool beats Perplexity

Tuesday, March 11, 2025

Ubuntu vs. Debian; The new HR; YouTube randomizer -- ZDNET ZDNET Tech Today - US March 11, 2025 webfeetgettyimages-10141124 DuckDuckGo's AI beats Perplexity in one big way - and it's free to

⚙️ AI bubble bursts (?)

Tuesday, March 11, 2025

Plus: We talk to the CEO of Read AI ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌