Nov 26 2013
A Great Solution…
Maven, Leiningen, Nuget, Gradle, NPM, and numerous other package/dependency management tools are very helpful for modern (or perhaps post-modern) development, which typically involves numerous library dependencies.
These tools implement a fundamentally good and important idea:
- List the packages, and versions, your package/application depends on. In a text file. In the project. Where it can be diffed and merged.
- Run a command, all the libraries are all fetched and made available.
All of the above tools default to fetching from open source software repositories. Some or all of them can be easily configured to perform the same job with internal, closed-source repositories if needed.
All of the above tools are a large improvement over the bad old days, when adding a library meant a manual, recursive search of the internet for transitive dependencies.
… Leads to a New Problem
These tools make it so easy to “lock in” specific library versions, that projects can very easily fall far behind the current release versions of those libraries. To avoid this in our projects, a few times per year we upgrade all the libraries (timed to avoid doing it right before any important release dates).
I’ve seen this done by hand, looking up the current version of each library – and it is very tedious. Instead, a package/dependency manager ought to have an easy way to update versions. Sadly, as far as I know none of them have such a thing built in. Here are the addon tools I’ve found so far:
Use npm-check-updates. The built in “npm obsolete” sounds like it might do the right thing, but it doesn’t.
The Versions Plugin does the job – usually “mvn versions:use-latest-releases” is a good starting point.
If anyone knows of similar tools for other dependency managers, I’ll be happy to add them to this list.