No more Headaches with an Old Tech projects.
How to Manage Dependencies with BOM (Bill of Material)
Hello Everyone Welcome to another Techie Talk….😉
Today i’m going to talk about an interesting topic. Lets get into that….
There are so many things we learned about development, serverless, microservices, Java, Node, Nest, but how can we take them to production?
When we learning we learnt so many good technologies. In reality, you may have to work with old technologies if we are working on an actual project. Because you can’t replace everything in a overnight. As an example struts, spring old versions maybe even not using maven also. This is the reality. Because you are a software engineer your job is to do those, you cannot ignore the fact that I cannot work on this project.
One could argue with me that we have so many great new technologies today, why can’t we turn it immediately? Sometimes it’s true. But I hope this will helps you a lot.🔥
I will explain this from using this three categories,
- Java based project — old technology (Struts, Spring old version, without dependency management framework like maven or gradle)
- Java based project — with maven or gradle.
- Node/Nest/TS based project.
01. Java based project — old technology
Once you learn one of these you can apply as it is onto your work. Assume the 2nd and 3rd use Docker and Kubernetes, and the 1st uses basic on-prem servers. because this is the reality. We can learn about AWS and AZURE, but when we get to work, we can’t tell whether we always had those luxuries.
What will be the problem 🤔
Take your project it will be use struts, spring or any other. so those jar files copy or link into the lib folder.
but here is the issue…..
We had a 3 developers they use copied different versions of jar files into their lib folder.
So when you run this on UAT (User acceptance testing) it maybe run on a different version, when run on a QA (Quality assurance) it also run on a different version like wise production also pick different version. Therefore, how do we ensure whatever version is available on your development goes to production?
Lets see how we do those dependency management 💭
Although there are multiple ways to do this and different frameworks to use, what I will be talking about will be much easier. It doesn't use any framework.
Take a establish project or program. And it has all the versions and stuffs to run.
The versions that we deside to use we can use BOM (build of Materials ) as to define it.
Ex:
A.jar 1.2.0
B.jar 2.4.0
C.jar 1.5.6
Since we don’t use maven or gradle, those jar files should be checked with a tool to ensure they are not crashing each other and are vulnerable safe. After that make this files as a bundle or as a ZIP file and host it to the repository.
Now tell every developer to download and link this lib folder to their project. In that case every developer will use the same version.
And this has another benefit when it goes to QA/UTA/PROD, they only need the developer’s code and they can use the same lib folder in the repository. If the compilation is broken it means that some developers are not using the same version.
How to update or add jar files to the project 🔄
Adding new jar files is as simple as adding them to the lib folder, performing vulnerability and crash tests, and hosting them in the repository as a new version.
Send email to all developers to download and use that new version. simple
02. Java based project — with maven or gradle.(without Docker/ Kubernetes )
In This section also we consider there is no docker. so lets see how we manage dependencies with maven.
The first step is to create a pom file that includes all the libraries & dependencies. Push it to the repository so that all developers can access it separately.
Now what you do is in your project you refer this dependency under the parent tag. What will it happen is developers don’t control their version. if someone need a new version he need to contact the architect or someone who manage the project. Then, what will do they is they add it to the pom file and publish a new version
03.Node/Nest/TS based project.(with Docker / Kubernetes)
Let’s consider two variations for this,
- Java project with maven/gradle.
- Node projcet with NPM or Yarn.
I will use Node Project with npm to explain this model.
Create Docker
First create docker file from Node latest and then we copy the package.json file and you run npm install command
that will be your docker… whatever the version that you deside to include to the project it will include all your dependencies. we name this docker as “cosmos-base”
Use Docker in your Services
Use the docker from cosmos-base and run your code using npm run build. just simple. So what it will do is it will base the cosmos-base as a base image and run your code on it. So that developer dosen’t need to install anything.
Mistakenly or someone use more dependencies in locally for build the code and it will run on locally well. but what happen when it will push to the dev branch? Yes it can’t compile because base image doesn’t include that dependencies. As a result, developers will need to contact those who are responsible for managing the Docker containers.
Conclusion ✅
Why are we not allowing developers to add their own dependencies.
Generally, dependencies are built using maven or npm, both of which are open source. In other words, sometimes individual developers control a team of developers. The Risk is it will crash the entire program if it encounters a bug in a version that each developer uses. Additionally, it will make the application insecure.
Another word for it is “every developer can access it”, which means that it is open to anyone. That is a huge vulnerability
Hope you Learn Something…. Keep Follow for more interesting topics. See You On Next Talk!!! 👀
