The Nine Circles of Dependency Hell (and a roadmap out)
Your project has been overwhelmed by the complex web of its software dependencies to the point of stoppage. We spend more time fixing these dependency issues than writing code most of the time. Every developer has been there.
Each circle represents a more evil transgression of package management. In the first circle are those who committed updated packages without recording them.
Most language package managers suggest that you don’t check in a node_modules or vendor folder anymore. But there can still be inconsistencies between the packages in use and a package manifest like packages.json or go.mod—a developer uses a new dependency without explicitly adding it, or removes one without removing it from the manifest.
Make sure you’re running a check against this in your presubmit. Before the pull request is merged is also a great time to vet new dependencies—for licenses or security issues. For example, the bouk/monkey package on GitHub has a license that explicitly forbids anyone from using it!
Here wander those who will chase any dependency without vetting it. It might not have documentation, it might not have been updated in years, but for some reason, it calls your name to call its functions. We all want that new function, that latest version of the library.
