Package & Dependency Management

Fall 2024

1

Outline

1. Discussion of Readings
2. Exploration of different package managers
3. Using Docker to experiment with different software versions / packages
4. Lab 5

2

Outline

• Discussion of Readings
• Exploration of different package managers
• Using Docker to experiment with different software versions / packages
• Lab 5

3

What do we mean by Dependency Management?

Your thoughts here…

4

What happened in the LeftPad Debacle?

Your thoughts here…

What happened in the Everything Debacle?

Your thoughts here…

​

What are the trade-offs associated with relying on dependencies?

​

Pros of packages:

• Easier and better to use an established package
• Saves
• Your mistakes are on you – no blame elsewhere
• Online community and forum / documentation that you can tap into
• Interoperability.

​

Pros of doing it yourself:

• You know how everything works
• Less awareness of package vulnerabilities

7

What should you consider before adding a new dependency to your software project?

​

• How closely the package matches the scope of your project.
• Take a look at the source code / implementation
• How many people are using
• How may dependencies does the package have?
• Recently updates
• Issue tracker
• Documentation
• ​

8

Stuff that can go wrong…

​

• If “DepA” was introduced, and now lots of people at your organization rely on DepA, who should maintain it?
• What if one of the dependencies that DepA relies on – DepB – has a security vulnerability. DepB now requires that you upgrade to a newer version, but DepA relies on the previous version of the dependency. What do you do?

9

Some dependencies we will be using…

1. What dependencies have you already used in this class (software you’ve installed or regularly use in this class)?�
2. Coming up: Python & JavaScript dependencies – how do we manage those!? Examples:
1. Database connection helpers
2. Packages for simplifying HTTP requests
3. Web server packages
4. REST API packages
5. Authentication
6. Widgets for building UIs

10

Layers of Dependencies

​

Systems dependency managers manage programs for a single host machine.

What are some examples of systems dependency managers?

• Linux – apt
• Mac – brew
• Windows – WinGet?

11

Outline

• Discussion of Readings
• Exploration of different package managers
• Using Docker to experiment with different software versions / packages
• Lab 5

12

Why might we need more fine-grained dependency management tools?

​

As a programmer who writes software, a global, system-level dependency management tool might not be enough! Why?

• Multiple software projects may rely on multiple versions of the same language or framework
• different versions lead to different behaviors
• setting up a dev environment can be complex
• system-level packages can be old
1. Sometimes your OS package manager installs a really old version of a language / framework

13

JavaScript Dependency Management

Make sure Node.js is installed…

• ex: npm is for front-end development (also yarn)

$ npm init

$ npm install react react-dom

$ npm install prettier --save-dev

​

• npm manages package.json and package-lock.json
• Dependencies are stored in the node_modules directory at the root of the project
• Exclude node_modules from version control. Why?

Python Dependency Management

• pip is a package manager used to install system-level python packages.
• However (important): you can create “virtual environments” (venv) – additional python installations that don’t conflict with your systems-level Python installation(s).
• To manage these virtual environments, wrappers around pip and venv are now used

Python Dependency Management: Poetry

• In this class, we will be using a tool called Poetry to manage python virtual environments
• Poetry manages pyproject.toml and poetry.lock files

$ pip install poetry

$ poetry init

$ poetry search request

$ poetry add request

$ poetry install

$ poetry run [whatever]

Common Features of a Good Package Manager

Poetry and NPM provide:

• A Nice CLI (command-line interface)
• Text-file dependency tracking (for version control) – usually declarative
• Reproducibility

​

Docker: Cool Stuff

With Docker, you can install containerized versions of new libraries, languages, etc. without having to worry about software incompatibilities with your existing OS / software libraries.

• This has obviated the need for software version managers – tools like nvm (node version manager) and rvm (ruby version manager) were popular
• With Docker, just run whichever version of your language in a container…and then delete the container when you’re done with it!

DEMO

Outline

• Discussion of Readings
• Exploration of different package managers
• Using Docker to experiment with different software versions / packages
• Lab 5

19

Docker Experiments

​

Please try the following (make sure that Docker is running):

docker run -it python:2.7

docker run -it python:latest

docker run -it node:latest

​

What happened?

• How did Docker know how to run these containers?
• https://hub.docker.com/search?image_filter=official
• What do the -i and -t flags do?
• -i interactive
• -t interact with the terminal shell

20

Docker Experiments

​

Try running some local files with various versions of Python and Node:

• Make a directory in the root of your csci338 folder called lecture06. Inside of lecture06, create two files: hello.py and hello.js

hello.py

def main():

print("hello world")

​

if __name__ == "__main__":

main()

hello.js

console.log("hello world!")

21

Docker Experiments

​

docker run python:latest python hello.py

docker run node:latest python hello.js

​

Amazing!! Now delete all of the containers you just made. You could do this via the Docker UI, but try doing it via the command line

22

Outline

• Discussion of Readings
• Exploration of different package managers
• Using Docker to experiment with different software versions / packages
• Lab 5

23

Lab 5: Practice Using Package Managers

​

On Thursday, you will be doing a short-ish lab to explore some dependencies using three different package managers:

1. Apt / brew
2. Poetry
3. NPM

​

See you Thursday!

24