1. Home
  2. Discover
  3. Technology
  4. Real Python
  5. [Python Dependency Pitfalls] How to set the world on fire

[Python Dependency Pitfalls] How to set the world on fire

Hey there,

#1 on my list of dependency management pitfalls is there for a good reason:

It lead to a single developer causing mayhem and breaking thousands of open-source projects around the world in one fell swoop.

Here's how it all went down:

A few years back, Azer Koçulu wrote a tiny library he published on Npm, the package repository for NodeJS. (The Python equivalents would be PyPI + pip.)

That "library" contained only 11 lines of code in total, but it was downloaded MILLIONS of times every month of as a dependency in other JavaScript projects.

What Azer's magical "micro library" did, you ask?

It added a tiny piece of functionality that was frequently needed but wasn't a part of the NodeJS standard library:

The ability to pad out the lefthand-side of strings with zeroes or spaces. For example, to format numbers for display.

In Python you'd probably do something like this:

>>> n = '4'
>>> n.zfill(3)
'004'

Anyway, this tiny "left-pad" library was used across many projects, including important applications like Node itself.

One fine day, Azer decided to close his NodeJS package repository account…

Which removed all of the packages associated with it.

And suddenly, "left-pad" was no longer available for download…

Can you guess what happened to the dependency install setup steps on projects using "left-pad?"

Well, they came to a SCREECHING HALT:

App deployments became stuck dead in their tracks. Automated tests stopped working.

And thousands of developers couldn't even RUN their apps locally…

All because "left-pad" had disappeared—and some important build tools required it to work.

It was quite crazy. Even some newspapers reported about the "left-pad incident."

You can imagine that there was a lot of "bruhaha" about the NodeJS packaging system—

But to tell you the truth the *exact same thing* could happen at any time with Python's packaging repository, PyPI.

It's easy to think that pulling in functionality from 3rd party dependencies is always a net benefit.

But every time you're adding an external dependency to your own project you're walking a fine line…

BAD external dependencies can make your stomach churn as a developer or project maintainer.

The people who got burned by the NodeJS "left-pad" incident know what I'm talking about...

On the other hand, a great quality third-party package can save you hours or even days of work.

The challenge is deciding whether a dependency adds value or is just a liability:

>> See step-by-step how to research and make Python dependency decisions (and how to explain them to your team/manager)

— Dan Bader

P.S. There's an important skill that Python dev managers look for in a candidate, but they rarely find it. More on that tomorrow.

Key phrases

great quality thirdparty package dependency install setup steps NodeJS package repository account one fell swoop exact same thing BAD external dependencies magical micro library dependency management pitfalls important build tools NodeJS packaging system The Python equivalents NodeJS standard library Python dev managers NodeJS leftpad incident Python dependency decisions other JavaScript projects tiny leftpad library

Older messages

[Python Dependency Pitfalls] A total mess?

Friday, October 22, 2021

Hey there, Recently I watched a Pythonista ask for advice on setting up a Python project on his work machine. This new developer had some prior experience with NodeJS and had just started to get his

[PythonistaCafe] What's in PythonistaCafe for you?

Friday, October 15, 2021

Hey there, A couple of years ago I'd become quite interested in martial arts. Hours upon hours of watching "The Karate Kid" growing up must've taken their toll on me... And so, I

[PythonistaCafe] Why PythonistaCafe exists

Thursday, October 14, 2021

Hey there, In one of my last emails I talked about how some online communities in the tech space devolve over time and turn into cesspools of negativity. This relates directly to how and why I started

[PythonistaCafe] Q&A

Sunday, October 10, 2021

Hey there, At this point you should have a pretty good idea of what PythonistaCafe is about and what makes it special. In this email I want to answer some common questions that I get asked about the

[PythonistaCafe] What's in PythonistaCafe for you?

Saturday, October 9, 2021

Hey there, A couple of years ago I'd become quite interested in martial arts. Hours upon hours of watching "The Karate Kid" growing up must've taken their toll on me... And so, I

Google Bard is surprisingly bad

Thursday, March 23, 2023

TikTok ban bills; $150 earbuds better than AirPods Pro; Best wireless chargers -- ZDNET ZDNET Tech Today - US March 23, 2023 placeholder I tested Google Bard. It was surprisingly bad AI chatbots have

wpMail.me issue#607

Thursday, March 23, 2023

wpMail.me wpMail.me issue#607 - The weekly WordPress newsletter. No spam, no nonsense. - March 23, 2023 Is this email not displaying correctly? View it in your browser. News & Articles What to

Your weekly Notion templates #81

Thursday, March 23, 2023

3 new templates + 1 new feature, just for you 🔥 ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌

New Kimsuky Threats Uncovered: Germany & S. Korea Warn of Escalating Danger!

Thursday, March 23, 2023

The Hacker News Daily Updates Newsletter cover The Importance of SBOMs in Protecting the Software Supply Chain Learn how to use SBOMs to better track and fix known and newly emerging vulnerabilities to

TikTok CEO says its owner is 'not an agent of China’

Thursday, March 23, 2023

The Morning After Now available on your smart speaker and wherever you get your podcasts Apple Podcasts | Spotify | Google Podcasts It's Thursday, March 23, 2023. TikTok CEO Shou Chew is preparing

What to Look For in a VPN Service Provider

Thursday, March 23, 2023

Read in Browser Logo for Review Geek March 23, 2023 If you've been on the internet for the past few years, you've likely seen an ad for a VPN. These services promise to prevent your internet

Post from Syncfusion Blogs on 03/23/2023

Thursday, March 23, 2023

New blogs from Syncfusion Easily Visualize Online Maps in Your .NET MAUI Apps setTimeout and setInterval Uses and Limitations in Modern Browsers More from the Syncfusion Ecosystem Bold Reports:

PHPWeekly March 23rd 2023

Thursday, March 23, 2023

Curated news all about PHP. Here's the latest edition Is this email not displaying correctly? View it in your browser. PHP Weekly 23rd March 2023 Hi everyone, We have a lot in store in this

Mozilla's open AI project 🤖, GitHub Copilot upgrades 👨‍💻, TikTok fights ban 📱

Thursday, March 23, 2023

Mozilla has launched a new AI-focused startup called Mozilla.ai. Sign Up|Jobs|Advertise|View Online TLDR Daily Update 2023-03-23 📱 Big Tech & Startups Shou Zi Chew's 'death wish'

LLaMA is Meta AI's New LLM that Matchest GPT-3.5 Across Many Tasks Despite Being Quite Smaller

Thursday, March 23, 2023

The model is significatively smaller than GPT-3.5 but matches its performance on many important LLM benchmarks. ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌