Here’s a tiny little done-in-a-couple-hours project consisting of a single static Web page and a cute little badge you can slap on your GitHub project.
The Web site is at 0dependencies.dev. The badge is visible on my current open-source projects, for example check out Topfew (you have to scroll down a bit).
Zero, you say? · In recent months I keep seeing these eruptions of geek angst about the fulminating masses of dependencies squirming under the surface of just about any software anyone uses for anything. The most recent, and what precipitated this, was Mike Perham’s Kill Your Dependencies.
It’s not just that dependencies are a fertile field for CVEs (*cough* xz *cough*) and tech debt, they’re also an enemy of predictable performance.
Also, they’re unavoidable. When you take a dependency, often you’re standing on the shoulders of giants. (Unfortunately, sometimes you’re standing in the shoes of clowns.) Software is accretive and it’s a good thing that that’s OK because it’s also inevitable.
In particular, don’t write your own crypto, etc. Because in software, as in life, you’re gonna have to take some dependencies. But… how about we take less? And how about, sometimes we strive for zero?
The lower you go · … the closer you are to zero. So, suppose you’re writing library code. Consider these criteria:
It’s low-level, might be useful to a lot of apps aimed at entirely different goals.
Good performance is important. Actually, let me revise that: predictably good performance is important.
Security is important.
If you touch all three of these bases, I respectfully suggest that you try to earn this badge: (By the way, it’s cool that I can toss a chunk of SVG into my HTML and it Just Works. And, you can click on it.)
How to? ·
First, whatever programming language you’re in, try to stay within the bounds of what comes with the language. In Go, where I
live these days, that means your go.sum
file is empty. Good for you!
Second, be aggressive. For example, Go’s JSON support is known to be kind of slow and memory-hungry. That’s OK because there are better open-source options. For Quamina, I rejected the alternatives and wrote my own JSON parser for the hot code path. Which, to be honest, is a pretty low bar: JSON’s grammar could be inscribed on a grain of rice, or you can rely on Doug Crockford’s JSON.org.
So, get your dependencies to zero and display the badge proudly. Or if you can’t, think about each of your dependencies. Does each of them add enough value, compared to you writing the code yourself? In particular, taking a dependency on a huge general-purpose library for one small simple function is an antipattern.
What are you going to do, Tim? · I’m not trying to start a movement or anything. I just made a badge, a one-page website, and a blog post.
If I were fanatically dedicated, 0dependencies.dev
would be database-backed with a React front-end and multiple
Kubernetes pods, to track bearers of the badge. Uh, no.
But, I’ll keep my eyes open. And if any particularly visible projects that you know about want to claim the badge, let me know and maybe I’ll start a 0dependency hall of fame.
Comment feed for ongoing:
From: Colin Rafferty (Sep 05 2024, at 10:58)
If I link to your svg, I have 1 dependency.
[link]
From: Nik (Sep 05 2024, at 15:51)
JSON parsing is exactly the sort of thing that can be fraught with corner cases where rolling your own is not a good idea.
Eg, vulnerabilities described in https://bishopfox.com/blog/json-interoperability-vulnerabilities
[link]
From: Christoph (Sep 06 2024, at 00:16)
The dk.brics.automaton Java library comes to my mind immediately. Very pure, incredibly fast and efficient (C-like code actually) and only Junit test dependencies.
https://github.com/cs-au-dk/dk.brics.automaton
https://www.brics.dk/automaton/
Plus, it has heavy impact. A copy of this is used in Lucene, which again is used in so many places you might even have it on your phone nowadays (or at least the website you are just using uses it under the hood)
[link]
From: Mike Taylor (Sep 06 2024, at 01:20)
I love this, but can you please change the badge from red (which means danger) to green (which means OK)?
[link]
From: Ben Kehoe (Sep 06 2024, at 02:54)
Is there a pithy description for no dependences *other than official SDKs for services the code is designed to interact with?* This is a situation I find myself in quite often.
Except when I have to talk to API Gateway, because there isn't a usable SigV4 signer for the python requests library from AWS 🤬
[link]
From: Carson Gross (Sep 06 2024, at 09:27)
htmx has zero dependencies
[link]
From: Jon Snow (Sep 06 2024, at 11:51)
0dependencies.dev seems to get Google fonts but not use them.
[link]