[Python Dependency Pitfalls] How to set the world on fire

Hey there,

#1 on my list of dependency management pitfalls is there for a good reason:

It lead to a single developer causing mayhem and breaking thousands of open-source projects around the world in one fell swoop.

Here's how it all went down:

A few years back, Azer Koçulu wrote a tiny library he published on Npm, the package repository for NodeJS. (The Python equivalents would be PyPI + pip.)

That "library" contained only 11 lines of code in total, but it was downloaded MILLIONS of times every month of as a dependency in other JavaScript projects.

What Azer's magical "micro library" did, you ask?

It added a tiny piece of functionality that was frequently needed but wasn't a part of the NodeJS standard library:

The ability to pad out the lefthand-side of strings with zeroes or spaces. For example, to format numbers for display.

In Python you'd probably do something like this:

>>> n = '4'
>>> n.zfill(3)
'004'

Anyway, this tiny "left-pad" library was used across many projects, including important applications like Node itself.

One fine day, Azer decided to close his NodeJS package repository account…

Which removed all of the packages associated with it.

And suddenly, "left-pad" was no longer available for download…

Can you guess what happened to the dependency install setup steps on projects using "left-pad?"

Well, they came to a SCREECHING HALT:

App deployments became stuck dead in their tracks. Automated tests stopped working.

And thousands of developers couldn't even RUN their apps locally…

All because "left-pad" had disappeared—and some important build tools required it to work.

It was quite crazy. Even some newspapers reported about the "left-pad incident."

You can imagine that there was a lot of "bruhaha" about the NodeJS packaging system—

But to tell you the truth the *exact same thing* could happen at any time with Python's packaging repository, PyPI.

It's easy to think that pulling in functionality from 3rd party dependencies is always a net benefit.

But every time you're adding an external dependency to your own project you're walking a fine line…

BAD external dependencies can make your stomach churn as a developer or project maintainer.

The people who got burned by the NodeJS "left-pad" incident know what I'm talking about...

On the other hand, a great quality third-party package can save you hours or even days of work.

The challenge is deciding whether a dependency adds value or is just a liability:

>> See step-by-step how to research and make Python dependency decisions (and how to explain them to your team/manager)

— Dan Bader

P.S. There's an important skill that Python dev managers look for in a candidate, but they rarely find it. More on that tomorrow.

Older messages

[PythonistaCafe] What makes PythonistaCafe different

Monday, July 5, 2021

Hey there, Mastering Python is *not* just about getting the books and courses to study—to be successful you also need a way to stay motivated and to grow your abilities in the long run. Many

[Sublime + Python Setup] The Ctrl+s "Heisenbug"

Monday, July 5, 2021

"What the **** is going on?!" I heard Keith yell. Returning from my lunch break and in a helpful mood I grabbed my coffee mug and shuffled over to my coworker's desk. "What's

[Python Dependency Pitfalls] A total mess?

Sunday, July 4, 2021

Hey there, Recently I watched a Pythonista ask for advice on setting up a Python project on his work machine. This new developer had some prior experience with NodeJS and had just started to get his

[Sublime + Python Setup] How to become a happier & more productive Python dev

Sunday, July 4, 2021

Hey there, I really struggled with setting up an effective development environment as a new Python developer. It was difficult to build the right habits and to find a set of tools I enjoyed to use.

[PythonistaCafe] Q&A

Sunday, July 4, 2021

Hey there, At this point you should have a pretty good idea of what PythonistaCafe is about and what makes it special. In this email I want to answer some common questions that I get asked about the

JSK Daily for Jul 26, 2021

Monday, July 26, 2021

JSK Daily for Jul 26, 2021 View this email in your browser A community curated daily e-mail of JavaScript news Understanding 'this' keyword in JavaScript If you belong to a programming

Max Q - How about I knock off $2 billion?

Monday, July 26, 2021

TechCrunch Newsletter TechCrunch logo Max Q logo Monday, July 26, 2021 • By Darrell Etherington The space industry is still abuzz with the aftermath of Jeff Bezos' brief jaunt, and the

Mapped | Visualizing GDP per Capita Worldwide in 2021 💰

Monday, July 26, 2021

GDP per capita is one of the best measures of a country's standard of living. This map showcases the GDP per capita in every country globally. FEATURED STORY Mapped: GDP per Capita Worldwide in

3-2-1: The State of Developer Ecosystem 2021, Future of Web, Hidden Door to Build Personal Brand, How to Run Good Meetings, Guidelines to Write High Quality CSS and Bonus

Monday, July 26, 2021

Hello my friends! Here are 3 hand-picked articles from the tech world, 2 web development guides, and 1 best Tweet of the week. 🔥 Picks from the tech world 1. The State of Developer Ecosystem 2021​ This

Playing Games to Earn a Living in the Metaverse

Monday, July 26, 2021

“As a player, you actually earn 2-3x more than an entry-level job” - Gabby Dizon, co-founder of Yield Guild Games ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌

You’re Invited: Getting Maximum Value from Cloud-Native Master Data Management

Monday, July 26, 2021

Webinar on August 10, 9am PT Hi there, Investing in high-quality, curated customer data fuels business results, from revenue growth to analytics adoption and productivity gains. However, quantifying

Just Launched: Startups of the Year 🚀

Monday, July 26, 2021

4.5k+ Cities; 37k+ Startups: Who'll Achieve Startup of the Year Status in Your City? Vote for 2021's Startups of the Year with Hacker Noon! How's it hanging, Hacker? 👋 Hacker Noon just

The best SaaS products with a free plan

Monday, July 26, 2021

This past week on Twitter, I asked people what their favorite SaaS products with a free plan were. The list is full of gems. Hiten's Pick The Highest Forms of Wealth What does it mean to be wealthy

Daily Coding Problem: Problem #476 [Medium]

Monday, July 26, 2021

Daily Coding Problem Good morning! Here's a solution to yesterday's problem. This is your coding interview problem for today. This problem was asked by Google. You are given an array of length

What ransomware victims saved thanks to free decryption tools

Monday, July 26, 2021

The best cheap VPNs; Beyond Raspberry Pi ZDNet Facebook Twitter LinkedIn ZDNet Tech Today July 26, 2021 placeholder Ransomware: Here's how much victims have saved in ransom payments by using these