Skip to content

Dependencies

4th August 2024

My philosophy on dependencies is to have few as possible, but not fewer. Apart from whether the project (dependency) is actually good, there are really only 3 things I look for:

  • Popularity: Is it popular? The unfortunate reality is that the more people that depend on it, the more likely it is to be maintained and battle-tested in production. The proxy I use for popularity is usually the number of Github stars, or downloads for something like a Docker image.

  • Maintainer: Is it backed by a company, individual, or group of individuals? Or is it used by large companies? Company backed, commercially sponsored projects are also way more likely to be maintained. If a single contributor has 90% of the code changes, I don't have as much confidence in the project, as it has a single point of failure.

  • Last updated: When was the last commit? If it's been a few years, it's probably not being actively worked on. Also is the original author still involved? Usually new maintainers are not as invested in the project as the original author.