Dependency
dih-PEN-den-see
An external library or package that your project requires to function.
A dependency is a piece of code that your project uses but did not write. When a Node.js project imports Express, Lodash, or React, those are dependencies. They are listed in package.json (for JavaScript), requirements.txt (for Python), or Cargo.toml (for Rust). Your project depends on them: if they are missing, your code does not work.
Dependencies are a trade-off. They save you from reinventing the wheel. You do not need to write your own HTTP server when Express exists, or your own date library when date-fns exists. But each dependency is code you do not control. It can introduce bugs, security vulnerabilities, or breaking changes. The left-pad incident of 2016 showed what happens when a single 11-line dependency disappears: thousands of builds broke worldwide.
Managing dependencies well means understanding what you depend on, keeping dependencies updated (especially for security patches), pinning versions to avoid surprises, and periodically auditing whether each dependency is still needed. A project with 5 well-chosen dependencies is healthier than one with 200 packages imported casually.
Examples
A security vulnerability is found in a dependency.
GitHub's Dependabot flags a critical vulnerability in the project's version of jsonwebtoken (CVE-2022-23529). The team checks: this package is used in the authentication middleware. The vulnerable version allows token forgery. The fix is a one-line change in package.json to upgrade from 8.5.1 to 9.0.0. But the major version bump includes a breaking API change, so the team also updates three files that use the library. Total fix time: 45 minutes.
A team audits their dependency tree.
The project's package.json lists 24 direct dependencies. Running 'npm ls' reveals 1,847 transitive dependencies (dependencies of dependencies). The team reviews each direct dependency: two are no longer used, three have better alternatives with smaller footprints, and one has not been updated in four years. They remove the unused ones, replace the outdated ones, and reduce the total dependency count by 400 packages.
A dependency update breaks production.
The team uses '^3.2.0' for a date formatting library. The maintainer publishes 3.3.0 with a subtle behavior change: dates near midnight format differently. The team's nightly CI build picks up the new version, tests pass (the test data does not include midnight dates), and the change ships to production. Customer invoices start showing the wrong date. The team pins the version to '3.2.0' and adds test cases for midnight dates.
In practice
Read more on the blog
Frequently asked questions
What is the difference between a direct and transitive dependency?
A direct dependency is one you explicitly install and import in your code. A transitive dependency is something your dependency depends on. If you install Express, that is a direct dependency. Express depends on body-parser, which depends on raw-body. Those are transitive dependencies. You do not import them, but they are in your node_modules. A vulnerability in a transitive dependency can affect your project even though you never chose to use it. Tools like 'npm audit' check both direct and transitive dependencies.
Should you pin dependency versions?
Yes, use a lockfile (package-lock.json, yarn.lock, Cargo.lock). The lockfile pins every dependency, direct and transitive, to an exact version. This ensures that every developer and CI environment uses the same versions. Without a lockfile, 'npm install' might give different versions on different machines. Commit your lockfile to version control. Update dependencies intentionally with 'npm update,' review the changes, and run tests before merging.
Related terms
A tool that automates installing, updating, and removing software dependencies for a project.
A versioning scheme using MAJOR.MINOR.PATCH numbers to communicate the type of changes in each release.
Software whose source code is publicly available for anyone to view, use, modify, and distribute.
The process of compiling source code into a runnable application or deployable artifact.
The accumulated cost of shortcuts and deferred work in a codebase that slows future development.
Want the complete playbook?
Picks and Shovels is the definitive guide to developer marketing. Amazon #1 bestseller with practical strategies from 30 years of marketing to developers.