Most large-scale software programs are not written entirely from scratch. Rather than reimplementing many common functions themselves, the developers use external code libraries and frameworks (known as “packages”) that provide these functions for them. When one program depends on another package in this manner, the relationship is known as a software dependency.
What are the types of software dependencies?
In general, developers speak of two types of software dependencies:
- Direct software dependencies are those that developers directly reference in their codebase. For example, the NumPy package in the Python programming language is used for scientific computing and array operations. If a developer uses a NumPy function inside Python code (e.g. numpy.argmax), this is an instance of a direct dependency: the code directly depends on NumPy.
- Transitive software dependencies are those that a program indirectly depends on via other dependencies. For example, NumPy relies on the use of an accelerated linear algebra library such as OpenBLAS or Intel MKL(although this is automatically installed together with NumPy behind the scenes). Thus, programs that use NumPy have a transitive, or indirect, dependency on these linear algebra libraries.
Why should I care
Software dependencies, in general, are a good thing: they let developers write code faster and more efficiently by building on the work of other developers. However, the use of software dependencies also introduces challenges and issues that need to be handled appropriately.
It’s rare that a large-scale software program will only have direct software dependencies, much less no dependencies at all. The external packages used by developers often have dependencies of their own, creating a tangled web of transitive software dependencies.
As much as possible, developers should be aware of the transitive dependencies they are introducing into their software. However, this is easier said than done, since these dependencies are not visible when reading through the codebase. This is especially problematic for transitive dependencies that introduce bugs or security vulnerabilities.
Managing the complexities of the two types of software dependencies is often an unexpected drain on developers’ productivity. In the worst case, teams can end up in “dependency hell,” struggling to address difficulties with third-party packages such as abandoned projects, buggy code, or poor documentation.
Software dependencies and Packagecloud
Packagecloud is a hosted package repository service that helps teams get out of dependency hell and master the process of managing software dependencies. Developers can use Packagecloud to store the software packages they use in a single repository, and then distribute these packages to the devices and machines that need them.
With Packagecloud, users can stay on top of the dependencies they are using in a particular project or codebase. Packagecloud offers complete visibility into software dependency relationships while guarding against critical security vulnerabilities such as package dependency confusion attacks.