[Python Dependency Pitfalls] How to set the world on fire

Hey there,

#1 on my list of dependency management pitfalls is there for a good reason:

It lead to a single developer causing mayhem and breaking thousands of open-source projects around the world in one fell swoop.

Here's how it all went down:

A few years back, Azer Koçulu wrote a tiny library he published on Npm, the package repository for NodeJS. (The Python equivalents would be PyPI + pip.)

That "library" contained only 11 lines of code in total, but it was downloaded MILLIONS of times every month of as a dependency in other JavaScript projects.

What Azer's magical "micro library" did, you ask?

It added a tiny piece of functionality that was frequently needed but wasn't a part of the NodeJS standard library:

The ability to pad out the lefthand-side of strings with zeroes or spaces. For example, to format numbers for display.

In Python you'd probably do something like this:

>>> n = '4'
>>> n.zfill(3)
'004'

Anyway, this tiny "left-pad" library was used across many projects, including important applications like Node itself.

One fine day, Azer decided to close his NodeJS package repository account…

Which removed all of the packages associated with it.

And suddenly, "left-pad" was no longer available for download…

Can you guess what happened to the dependency install setup steps on projects using "left-pad?"

Well, they came to a SCREECHING HALT:

App deployments became stuck dead in their tracks. Automated tests stopped working.

And thousands of developers couldn't even RUN their apps locally…

All because "left-pad" had disappeared—and some important build tools required it to work.

It was quite crazy. Even some newspapers reported about the "left-pad incident."

You can imagine that there was a lot of "bruhaha" about the NodeJS packaging system—

But to tell you the truth the *exact same thing* could happen at any time with Python's packaging repository, PyPI.

It's easy to think that pulling in functionality from 3rd party dependencies is always a net benefit.

But every time you're adding an external dependency to your own project you're walking a fine line…

BAD external dependencies can make your stomach churn as a developer or project maintainer.

The people who got burned by the NodeJS "left-pad" incident know what I'm talking about...

On the other hand, a great quality third-party package can save you hours or even days of work.

The challenge is deciding whether a dependency adds value or is just a liability:

>> See step-by-step how to research and make Python dependency decisions (and how to explain them to your team/manager)

— Dan Bader

P.S. There's an important skill that Python dev managers look for in a candidate, but they rarely find it. More on that tomorrow.

Older messages

[PythonistaCafe] Why PythonistaCafe exists

Friday, March 11, 2022

Hey there, In one of my last emails I talked about how some online communities in the tech space devolve over time and turn into cesspools of negativity. This relates directly to how and why I started

[Python Dependency Pitfalls] A total mess?

Thursday, March 10, 2022

Hey there, Recently I watched a Pythonista ask for advice on setting up a Python project on his work machine. This new developer had some prior experience with NodeJS and had just started to get his

[PythonistaCafe] What makes PythonistaCafe different

Thursday, March 10, 2022

Hey there, Mastering Python is *not* just about getting the books and courses to study—to be successful you also need a way to stay motivated and to grow your abilities in the long run. Many

[Sublime + Python Setup] Sublime Text is just a blank canvas…

Thursday, March 10, 2022

Hey there, When I became serious about optimizing Sublime Text with plugins, it was hard for me to separate the wheat from the chaff. Without a real guideline or roadmap I resorted to installing *any*

[Python Dependency Pitfalls] The Iceberg

Thursday, March 10, 2022

Hey there, The other day I read this quote from a Python developer that made me stop and think: "As a noob with a little programming knowledge already, I've found setting up and installing

You Might Also Like

PHPWeekly March 28th 2024

Thursday, March 28, 2024

Curated news all about PHP. Here's the latest edition Is this email not displaying correctly? View it in your browser. PHP Weekly 28th March 2024 Hi everyone, The long weekend is coming up, and if

Hulu officially joins Disney+

Thursday, March 28, 2024

The Morning After It's Thursday, March 28, 2024. A month after taking full ownership of Hulu last November, Disney started beta testing integration with Disney+. Today, Hulu on Disney+ is

Post from Syncfusion Blogs on 03/28/2024

Thursday, March 28, 2024

New blogs from Syncfusion Chart of the Week: Creating a .NET MAUI Column Chart to Visualize the Corporate Investment in AI By Saiyath Ali Fathima M Let's visualize the data on corporates'

New ZenHammer Attack Bypasses Rowhammer Defenses on AMD CPUs

Thursday, March 28, 2024

THN Daily Updates Newsletter cover Webinar: From Blind Spots to Bulletproof: Secure Your Apps with Shared Responsibility From oversight to overwatch: Discover the art of bulletproof app security with

Top Tech 🏆 Synology BeeStation NAS Review — Testing Anker's EverFrost Dual-Zone Powered Cooler

Thursday, March 28, 2024

Also: We Review the Arlo Essential Indoor Cam 2nd Gen, and More! How-To Geek Logo March 28, 2024 📩 Get the hottest deals, how-to's, breaking news, and more delivered directly to your inbox by

Last Chance

Thursday, March 28, 2024

Hello there, I wanted to follow up on our last email to let you know that our introductory iPhone Life Insider offer will expire tomorrow! Currently, a subscription to iPhone Life Insider costs $9.99/

Edge 381: Google DeepMind's PrompBreeder Self-Improves Prompts

Thursday, March 28, 2024

The method combines chain of thoughts, plan and solve and evolutionary algorithms in a single mthod. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

Anthropic beats GPT-4 🤖, Pixel 9 leaks 📱, the fight for AI talent 👨‍💻

Thursday, March 28, 2024

Anthropic's Claude 3 Opus has surpassed OpenAI's GPT-4 for the first time on Chatbot Arena Sign Up|Advertise|View Online TLDR Together With Dollar Flight Club TLDR 2024-03-28 Exclusive offer:

From Request to Response: How APIs Work – Beginners Guide

Thursday, March 28, 2024

In the vast expanse of the digital ecosystem, APIs (Application Programming Interfaces) act as critical conduits, facilitating seamless conversations between different software platforms. From clicking

Elastic 8.13 is here: Amazon Bedrock in the AI Assistant for Observability

Thursday, March 28, 2024

Learn about Amazon Bedrock support within the Elastic AI Assistant for Observability ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ elastic | Search. Observe. Protect