1 of 29

Package & Dependency Management

Fall 2025

1

2 of 29

Please Help

High School Students visiting this Saturday from 9:30-11:00AM!
PLEASE HELP ME!!!!!!!!

3 of 29

Outline

More on Docker
Discussion of Readings
Exploration of different package managers
More time for Lab 4

3

4 of 29

Outline

More on Docker
Discussion of Readings
Exploration of different package managers
More time for Lab 4

4

5 of 29

What did you think of Docker?

6 of 29

Images, Containers, and Volumes

What is an Image?
What is a Container?
What is a Volume?
What is a Bind Mount?
What is the purpose of a Dockerfile?
What is the purpose of a docker-compose.yml file?

An image is like a class in object-oriented programming.
A container is like an instance (object) of that class. You can create multiple containers from the same image, just like you can build multiple houses from the same blueprint or create multiple objects from a class.
A Docker volume is a persistent storage mechanism that allows data to be stored outside of a container’s filesystem, so it remains even when the container stops or is removed.
A bind mount in Docker is a way to directly map a directory or file from the host machine into a container. Unlike volumes, which are managed by Docker, bind mounts rely on an existing directory on the host and provide more control over storage locations.
What’s the purpose of a Dockerfile? – A Dockerfile is a script that defines how to build a Docker image. It contains a series of instructions that specify the base image, dependencies, configurations, and commands needed to create a reproducible environment.
A Docker Compose file (docker-compose.yml) is a YAML configuration file that defines and manages multi-container Docker applications. It allows you to define services (containers), networks, and volumes in a structured and reusable way.

7 of 29

Docker: Cool Stuff

With Docker, you can install containerized versions of new libraries, languages, etc. without having to worry about software incompatibilities with your existing OS / software libraries.

With Docker, just run whichever version of your language in a container…and then delete the container when you’re done with it!

8 of 29

Docker Experiments

Please try the following (make sure that Docker is running):

docker run -it python:2.7

docker run -it python:latest

docker run -it node:latest

What happened?

How did Docker know how to run these containers?

https://hub.docker.com/search?image_filter=official

What do the -i and -t flags do?

-i interactive
-t interact with the terminal shell

8

9 of 29

Docker Experiments

Try running some local files with various versions of Python and Node:

Make a directory in the root of your csci338 folder called lecture06. Inside of lecture06, create two files: hello.py and hello.js

hello.py

def main():

print("hello world")

if __name__ == "__main__":

main()

hello.js

console.log("hello world!")

9

10 of 29

Docker Experiments

docker run python:latest python hello.py

docker run node:latest node hello.js

Amazing!! Now delete all of the containers you just made. You could do this via the Docker UI, but try doing it via the command line

10

11 of 29

What if you wanted to try out Rust?

Download, build, and run the Rust container: �docker run -it rust:latest bash
Install vim:�apt update && apt install vim
Create a hello.rs file on the Docker container using vim: (https://doc.rust-lang.org/rust-by-example/hello.html)
Compile it: rustc hello.rs
Run it: ./hello

12 of 29

Outline

More on Docker
Discussion of Readings
Exploration of different package managers
More time for Lab 4

12

13 of 29

What do we mean by Dependency Management?

What is a dependency?

Someone else’s code that you rely on for your code to work. So that you don’t have to reinvent the wheel every time you do something.

Why are they so hard to manage?

You open up your code to “chain reactions”
Less control

13

14 of 29

What happened in the LeftPad Debacle?

Scene 1: left pad used by the entire internet but only 10 lines of code (trivial)
Scene 2: Programmer and company have argument over copyright.

Open Source v. Copyrighted version

Scene 3: Corporation wins
Scene 4: Node.js creates some new protections so that this doesn’t happen again

Azer Koçulu, a developer, deleted 273 of his npm packages, including a small but widely used package called left-pad – which was only 11 lines of code – causing major disruptions in web development globally.
The deletion of left-pad broke thousands of applications, including major frameworks like React, as many projects unknowingly depended on it through nested dependencies. Developers worldwide faced build failures and errors, with the missing package affecting businesses, websites, and developers in multiple countries.
Started when Kik, a messaging company, requested Koçulu rename his kik npm package, citing trademark rights. The discussion escalated, with threats of legal action.
npm, the package registry, sided with Kik and transferred ownership of the kik package, which angered Koçulu and led to his decision to remove all his packages.
npm made an unprecedented decision to restore left-pad, overriding Koçulu’s deletion to prevent further breakage in the ecosystem.
The event exposed the fragility of the modern web development ecosystem, where a single developer’s decision could have widespread consequences.
The situation sparked debates about the reliability of package managers, open-source governance, and whether developers should rely on tiny, trivial dependencies.

UNIX Philosophy:

The prevailing philosophy of the Unix operating system: do one thing well. This means, for example, that it's generally better to create a function or module that can solve one problem, reliably and efficiently, than to try to tackle multiple problems at the same time.

15 of 29

What happened in the Everything Debacle?

See notes below

16 of 29

What are the trade-offs associated with relying on dependencies?

What are dependencies good?

You can use code that someone else wrote that’s good.
Reduces the complexity of your code
Can rely on other ppl to keep things current and updated

What are the downsides?:

See previous slides
Deprecation – package no longer maintained.

16

17 of 29

What should you consider before adding a new dependency to your software project?

Budget – some dependencies have +/- efficiencies for the task
How well it’s maintained.

Company reputation

Has it stood the test of time?

Update schedule
Big changes happening (new features versus minor edit).
# of downloads, # size of the team
Look at the forum – are people’s questions getting answered (nicely)

17

18 of 29

Stuff that can go wrong…

If “DepA” was introduced, and now lots of people at your organization rely on DepA, who should maintain it?
What if one of the dependencies that DepA relies on – DepB – has a security vulnerability. DepB now requires that you upgrade to a newer version, but DepA relies on the previous version of the dependency. What do you do?

18

19 of 29

Some dependencies we will be using…

This week: Python & JavaScript dependencies – how do we manage those!? Examples:

Database connection helpers
Packages for simplifying HTTP requests
Web server packages
REST API packages
Authentication
Widgets for building UIs

19

20 of 29

Layers of Dependencies

Systems dependency managers manage programs for a single host machine.

What are some examples of systems dependency managers?

OS: brew. Linux: apt, dnf, yum. Window: winget, chocolatey
Python: pip, poetry
Node: npm, yarn, npmpm

20

21 of 29

Outline

More on Docker
Discussion of Readings
Exploration of different package managers
More time for Lab 4

21

22 of 29

Why might we need more fine-grained dependency management tools?

As a programmer who writes software, a global, system-level dependency management tool might not be enough! Why?

Multiple software projects may rely on multiple versions of the same language or framework

Different versions lead to different behaviors

Different language features / environments move at different time scales, so system-level packages can be old

Your OS package manager could install an older version of the tool you need

22

23 of 29

JavaScript Dependency Management

Make sure Node.js is installed…

ex: npm is for front-end development (also yarn)

$ npm init

$ npm install react react-dom

$ npm install prettier --save-dev

npm manages package.json and package-lock.json
Dependencies are stored in the node_modules directory at the root of the project
Exclude node_modules from version control. Why?

24 of 29

Python Dependency Management

pip is a package manager used to install system-level python packages.
However (important): you can create “virtual environments” (venv) – additional python installations that don’t conflict with your systems-level Python installation(s).
To manage these virtual environments, wrappers around pip and venv are now used

25 of 29

Python Dependency Management: Poetry

In this class, we will be using a tool called Poetry to manage python virtual environments
Poetry manages pyproject.toml and poetry.lock files

$ pip install poetry

$ poetry init

$ poetry search request

$ poetry add request

$ poetry install

$ poetry run [whatever]

26 of 29

Common Features of a Good Package Manager

Poetry and NPM provide:

A Nice CLI (command-line interface)
Text-file dependency tracking (for version control) – usually declarative
Reproducibility

27 of 29

Lab 5: Practice Using Package Managers

On Thursday, you will be doing a lab to explore some dependencies using three different package managers:

Apt / brew
Poetry
NPM

See you Thursday!

27

28 of 29

Outline

More on Docker
Discussion of Readings
Exploration of different package managers
More time for Lab 4

28

29 of 29

Keep working on Lab 4