Tom MacWright

2025@macwright.com

Dependency thoughts

Things I think about dependencies (in applications)

  • Being annoyed with all the dependencies is hard to square with building an application. I can't help but think that you can only hold an opinion that dependencies are unnecessary only if you've never really built a whole big ol' application.
  • The whole point of NPM and semver is that you are never forced to update dependencies, but the whole exercise of maintenance - dependabot, renovate, security scanners, and so on, is to keep updating everything all the time.
  • There's no real standard for how up to date everything needs to be. GitHub updates their Rails version on every single commit but most developers can attest to most companies having projects with ancient dependencies. Updating too much is bad: work that isn't related to product-market-fit or revenue. Updating too little is bad: unfixed security exploits reign and you have to consult archived documentation.
  • libyear seems like a good idea but has almost no traction. Why? There are NPM modules that update daily (AWS) and others that update yearly: "new versions since last update" is meaningless because of this.
  • Good dependency maintenance has not been automated. Which dependency upgrade is going to give you another transitive version of esbuild, thus spiking your node_modules size by 10MB or more? Dependabot and Renovate won't tell you. You can string together GitHub Actions to do this but it's a hack. Why is this such a hack? I don't know.
  • A lot of my 'edge' or 'senior programmer energy' is from the fact that I read a lot. Reading documentation, reading source code, and reading things like package-lock.json and pnpm-lock.yaml. I fear that a lot of people tune out these files but they are really pretty important: when a small dependency update yields a lot of additional lines in package-lock.json, that's a big deal! I wish there was a better way to surface this. I will keep encouraging people to read more.
  • Evaluating dependencies is basically media literacy, and it's difficult to automate or teach. You need to pay attention to a lot of different signals in order to tell bad from good. A shortcut is in the bullet point before, though: reading.