DEV Community

Boris Jamot ✊ /
Boris Jamot ✊ /

Posted on • Updated on <time datetime="2019-08-13T22:40:46Z" class="date">Aug 13, 2019</time> • Originally published at mamyn0va.github.io

He Commits Vendor! 😱

Yesterday we had an interesting discussion between some developers of different teams in my company. The subject was: Β« what is the point of vendoring? Β».

Vendoring means committing your project's dependencies along with your code.

What happened is that some developers (including myself) discovered that some other developers commit the vendor folder in the git repository. My first reaction was pretty pejorative as I thought it was a dirty practice from another time, when we had no dependency manager. The devs explained us that it has many benefits:

  • first it allows to build your app much more faster in your CI
  • then it ensures you have the exact version of your dependencies
  • then there is no way one of them get injected by some malware dependency
  • finally you are not dependent of the network (or of the remote dependency repositories) during the build

None of these arguments satisfied me, not that they're not true, but I think each of them can be solved in a cleaner way, for example by using a cache, a custom repository with audited dependencies, and by solving directly the network issues.

And you, what do you think?

Discussion (15)

Collapse
jamespwright profile image
James Wright

On my personal projects I don't really bother with this.
However, you only have to look at the NPM "leftpad" debacle to see why I ALWAYS do this in professional projects for a company.

I've had multiple times in my career where I need to update an old project that hasn't been touched in years, that has a dependency that is no longer available (easily) online.

Collapse
weswedding profile image
Weston Wedding

Yeah, at the very least, I feel like making sure you commit the dependencies for major versions of your final product is important. I don't feel like we should assume composer.json or package.json will even be enough 5 years from now. Online services come and go at a moment's notice.

Collapse
biros profile image
Boris Jamot ✊ / Author

It seems to be a good reason.
Thx !

Collapse
yo profile image
Yogi

This will increase the size of the repo!

Collapse
itsdarrylnorris profile image
Darryl Norris

This could potentially become a very big problem depends on how your app is structured. For instance, if you have a monolithic app that has, it has decoupled components (modules or whatever you want to call it), and each of them has theirs on vendor directory, this will make your app huge.

This brings problems with IDE indexing taking forever, and even downloading the repo.

Collapse
yo profile image
Yogi

Yeah exactly of course it will take too much time to index in my IDEs.

Collapse
cess11 profile image
PNS11

It will have to be indexed and downloaded regardless of whether it's from the repo or some web storage.

Try ripgrep or fzf, they're pretty great at fast searching.

Collapse
bgadrian profile image
Adrian B.G.

Maybe this way devs will realize how much code they really have in their app.

Probably dead code, untested code and so on. Package managers make things so easy to throw away performance, lower level concerns and build sizes.

Collapse
rhymes profile image
rhymes • Edited on
  • first it allows to build your app much more faster in your CI

cache as you said

  • then it ensures you have the exact version of your dependencies

repeatable builds and exact versioning let you do that

  • then there is no way one of them get injected by some malware dependency

what if it's already in there? It's not like you're going to audit the code of every single dependency (and their dependencies) you add but you can still use the cache for that

  • finally you are not dependent of the network (or of the remote dependency repositories) during the build

proxy or cache as you said

None of these arguments satisfied me, not that they're not true, but I think each of them can be solved in a cleaner way, for example by using a cache, a custom repository with audited dependencies, and by solving directly the network issues.

Yep :-)

It's not a bad thing to do, it's just not really needed and you end up putting your dependencies (and their dependencies) as a diff in the git log everytime you upgrade anything

Collapse
bgadrian profile image
Adrian B.G.

It solves some rare problems, but real never the less. I would use it if team members have low bandwidth, or for projects that are not in active development but important.

I imagine if the source is a problem could be saved in a git submodule or something.

Collapse
sanzeeb3_18 profile image
Sanzeeb Aryal

I think I'll need to commit the vendor directory. The vendor directory is required when deploying and I use GH actions to deploy. The vendor directory isn't in the GH, because it's gitignored. So, I obviously need to git the vendor directory? Do you have any suggestions on that? For context, here's the issue: github.com/sanzeeb3/wp-frontend-de...

I have never committed vendor yet, but I'll need to?

Collapse
belinde profile image
Franco Traversaro • Edited on

We just commit the composer.lock or the equivalent for npm project, so anyone can install exactly the right version of the dependencies. Problem solved.

biros profile image
Boris Jamot ✊ / Author

This has absolutely no impact on indexing in IDE. In both cases the same files are indexed. No overhead.