Software Development from Zero
by Sergey Okinchuk
The Developer's EnvironmentChapter 7: Code Quality & Craftsmanship
Topic 04

Dependencies & Package Managers

Concept

Almost no software is written entirely from scratch. Developers build on top of existing code that other people wrote and maintain — date handling, image processing, encryption, and thousands of other solved problems. Pulled into a project, that reused code is a dependency, and it's the single biggest productivity multiplier in software.

Bringing in and keeping track of all that borrowed code is handled by a package manager. The whole arrangement is enormously powerful — and a real source of risk, which is why it's worth understanding even at a concept level.

An analogy: cooking with quality store-bought ingredients instead of milling your own flour and pressing your own oil. It's faster and usually better — but you're trusting the suppliers, and a bad ingredient becomes your problem.

Dependencies pull in their own dependencies
Cadence
the application your team writes
date-utils
a library you added for streak math
tiny-timezone
something date-utils itself needs
http-client
a library for talking to the API

Libraries and Dependencies

A library is a reusable bundle of code that solves a common problem, published for others to use. When your project relies on one, that library becomes a dependency — your code now depends on it to work. Using libraries is standard and wise: re-solving a problem that thousands have already solved well is usually a waste, and often less correct than the battle-tested version.

Package Managers

A package manager is a tool that fetches, installs, and tracks a project's dependencies — and, crucially, pins their exact versions so every developer and every server builds with the same code. You name the libraries you want; the package manager downloads them and records precisely which versions are in use. npm (for JavaScript) and pip (for Python) are common examples. It's the difference between a managed list and a chaotic pile of borrowed code.

Transitive Dependencies

Here's the catch that surprises beginners: your dependencies have dependencies of their own, and those have more. Pull in one library and you may quietly pull in fifty others it relies on — these indirect ones are called transitive dependencies. A modern project's dependency tree can run thousands deep, almost none of it written by your team. The package manager keeps that whole tree organized.

The Risks

All that borrowed code carries real risks. Dependencies add bloat (code you ship but barely use), can break when you upgrade them, and — most seriously — can contain security holes that become your security holes. A flaw in a library deep in your tree is a flaw in your product. This "supply chain" risk is so important it gets its own treatment in the security chapter; for now, just know that every dependency is a convenience and a liability at once.

Cadence uses a well-known date-handling library rather than writing tricky streak-and-calendar math from scratch — a sensible reuse. Its package manager pins that library to an exact version, so Marcus's machine, Lena's machine, and the production server all build with identical code. And when a security advisory later lands for that library, the team knows it's in their tree and patches it — borrowed code, borrowed responsibility.

Common Confusions
  • "Using libraries is cheating — real developers write it all themselves." Reusing solid libraries is standard, professional practice; re-solving solved problems wastes time and is often less correct.
  • "More dependencies means a more capable project." Each dependency is also a liability to maintain, upgrade, and secure. Fewer, well-chosen ones usually beat a sprawling pile.
  • "A package manager is basically an app store for programs." It manages code components for a project, with versioning and a whole dependency tree — not finished apps for end users to install.
Why It Matters
  • Dependencies are everywhere in real projects — understanding them explains how teams move so fast, and why "we use library X" is such a common sentence.
  • Knowing about transitive dependencies and pinned versions sets up reproducible builds and supply-chain security, both covered later.
  • Seeing each dependency as both convenience and liability builds the judgment to choose them carefully rather than grabbing every shiny library.

Knowledge Check

What is a dependency?

  • Existing library code your project relies on, reused instead of rewritten
  • A defect somewhere in your code that depends on another part in order to appear
  • A team member whose work the rest of the team depends on
  • A feature that users have said they cannot do without

What does a package manager do?

  • Fetches, installs, and tracks dependencies, pinning their exact versions
  • Delivers the finished application to all of the end users for them to install
  • Organizes the team's tasks and assigns them to developers
  • Runs the finished program and shows its output to users

What is a transitive dependency?

  • An indirect dependency — a dependency that your own dependency relies on
  • A dependency that your team deliberately added to the project
  • A dependency that is only needed for a short while and is then removed again
  • A dependency that has been checked and proven fully secure

Which is a genuine risk of depending on outside libraries?

  • A security hole in a library becomes a hole in your own product
  • Using any library at all marks the team as unskilled cheaters
  • Adding even a single library makes the whole project impossible to run
  • Dependencies always make the final program far too small

You got correct