DEV Community

Łukasz Budnik
Łukasz Budnik

Posted on • Edited on

Building cloud native apps: Dependencies

Dependencies management for cloud native apps

Dependency management is very important aspect of every application lifecycle management. It has its own chapter in the twelve-factor app manifest: https://www.12factor.net/dependencies.

It is a very good summary of how to approach dependency management in your project (at all levels including OS dependencies). I would like to throw in my two cents and focus more on the software development part.

Keeping dependencies up to date

Make sure that the build tool which you use has the functionality which can help you keep up with your dependencies (either out of the box or via plugins). A project comprising of several services can have tens of external dependencies. Making sure you are always up to date is not a super complex task, but (let's face it) it's a rather dull task. This task should be automated. Dependencies should be upgraded automatically every week (at minimum). Followed by a full suite of unit and integration tests.

Minor version upgrades don't break the API and what is very important they contain bug fixes and security updates.

Scanning dependencies for security vulnerabilities

Speaking of security updates. You should scan your code on a regular basis for security vulnerabilities. You can use projects like Retire.js or OWASP Dependency-Check. There are also fully featured multi-platform multi-language solutions like Dependency Track and many other.

If you are using GitHub to store your code, you get some security features out of the box.
You can setup GitHub code quality scanners to find security vulnerabilities and errors in your code: https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning.
GitHub Dependabot can scan your project and let you know if there are security vulnerabilities in your dependencies. Dependabot can automatically create a pull request with a bumped version for you once a new version is available. Dependabot can be also configured to create a new pull request every time there is a newer version available (not only when there's a security vulnerability). More about Dependabot can be found here: https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates.

There are much more security-related features in GitHub. For a complete list see https://github.com/features/security.

Checking dependencies' licenses for compliance

A very important step. Check licenses for all your dependencies. Check licenses for both the back-end (maven, gradle, npm, go, gems, ...) and the front-end (npm, grunt, yarn, ...). Prepare a list of approved licenses and fail all pull requests when new dependencies with new licenses are added. You can review new licenses and if you accept them, add them to the approved list. If not, reject the pull and pick-up another library.

Share the love

There are a lot of open-source foundations, government institutions, startups, tech giants, and even banks that open-source their work. Every project that I worked on used open-source technologies. And I'm pretty sure so do you.
If you found a bug, implemented an enhancement, or maybe even added a brand new feature - please contribute back. Every contribution counts and every contribution is making the difference!

If you're on another open-source level, you may even consider sharing your own project. That's how the open-source community is changing the world around us. Share the love!

Top comments (0)