{
    "slug": "dependency_management",
    "term": "Dependency Management Philosophy",
    "category": "general",
    "difficulty": "intermediate",
    "short": "Every dependency is a liability — prefer few well-maintained packages; pin versions via composer.lock; audit regularly.",
    "long": "Principles: prefer stdlib, prefer widely-used over niche, check licence (GPL contamination risk), pin versions (composer.lock), audit regularly (composer audit). Left-pad problem (npm 2016): a widely-used 11-line package was unpublished, breaking thousands of projects. Each dependency adds: security attack surface, version conflicts, licence risk, maintenance burden.",
    "aliases": [
        "dependency management",
        "composer lock",
        "left-pad"
    ],
    "tags": [
        "general",
        "php",
        "quality",
        "security"
    ],
    "misconception": "More dependencies save time — each adds security surface, conflicts, licence risk, and maintenance burden.",
    "why_it_matters": "Dependency management is not just about installing packages — it is about controlling what code runs in your application. A compromised or malicious package in your dependency tree can exfiltrate data, install backdoors, or corrupt your build. Pinning exact versions in composer.lock and running composer audit regularly catches known vulnerabilities before they reach production. The supply chain attack surface through third-party packages is now the most common vector for large-scale compromises.",
    "common_mistakes": [
        "composer.lock not committed",
        "composer update in production",
        "No licence review",
        "Depending on abandoned packages"
    ],
    "when_to_use": [
        "Pin exact versions in production lock files — deterministic builds prevent surprise breakage.",
        "Audit new dependencies for maintenance activity, license compatibility, and known vulnerabilities before adding.",
        "Automate dependency updates with Dependabot or Renovate — humans do not reliably update dependencies.",
        "Separate dev dependencies from production dependencies — only production code ships to users."
    ],
    "avoid_when": [
        "Adding a package for a feature you could implement in 10 lines — every dependency is a supply chain risk.",
        "Ignoring outdated dependencies — stale packages accumulate security vulnerabilities.",
        "Committing vendor directories to version control when a lock file is sufficient.",
        "Using broad version constraints (^1.0) without testing — minor updates can introduce breaking changes."
    ],
    "related": [
        "dependency_audit",
        "typosquatting_packages"
    ],
    "prerequisites": [
        "composer",
        "semantic_versioning",
        "supply_chain_attack"
    ],
    "refs": [
        "https://getcomposer.org/doc/01-basic-usage.md#commit-your-composer-lock-file-to-version-control"
    ],
    "bad_code": "// Non-pinned: different versions on dev/CI/prod",
    "good_code": "// Checklist: <50 lines to DIY? Maintained? MIT licence? Audit in CI\ngit add composer.lock",
    "quick_fix": "Run composer audit weekly and on every CI run — it checks installed packages against the PHP Security Advisories database and takes under a second",
    "severity": "high",
    "effort": "low",
    "created": "2026-03-16",
    "updated": "2026-03-25",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/dependency_management",
        "html_url": "https://codeclaritylab.com/glossary/dependency_management",
        "json_url": "https://codeclaritylab.com/glossary/dependency_management.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Dependency Management Philosophy](https://codeclaritylab.com/glossary/dependency_management) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/dependency_management"
            }
        }
    }
}