DEV Community

Discussion on: How 4 lines of Java code end up in 518772 lines in production.

Collapse
 
brianverm profile image
Brian Vermeer 🧑🏼‍🎓🧑🏼‍💻

Spring is not the issue, I honestly love spring-boot!

  • The issue is knowing what you are using and why
  • Being aware that by blindly importing dependencies, there is a risk.
  • You are responsible for not only the code you write, both from a security point of view and maintenance.

I'm sorry if that was not clear to you from the article.

Collapse
 
190245 profile image
Dave

I'm honestly going off Spring, and have been for the last few years - mostly because of the opinionation issue.

The security aspect can be somewhat mitigated by having your own dependency repository hosted internally, with appropriate security controls, but the upgrade path (and trusting 3rd party developers both in terms of security and bugs) is troublesome no-matter what.

That said, blind dependency importing & monitoring changes isn't unique to Spring, hell, with Maven I can write custom plugins to jump into the build phases & inject whatever code I want.

Ultimately, measuring the fat jar size is probably not the best way to illustrate the number of dependencies - many of them will be in the jar, but never executed because they're not referenced from any other code - they're just floatsam & jetsam.

Maybe a better way would be to spin up something like SonarQube with an appropriate rule set (not the default), write 99.999% test coverage, and then look at the SonarQube report to see if it flags up issues - since one thing it does do, is an OWASP scan).