Adrian Faciu
Principal software engineer. Focused on front-end. Learning something new each day. Building things at WeVideo.
Dependency management
in Modern Web Projects
25 Jun 2025
Adrian Fâciu
Dependencies
npx create-next-app@latest
npx sv create my-app
npx degit solidjs/templates/js my-app{
"name": "my-next-app",
"version": "0.1.0",
"private": true,
"scripts": {...},
"dependencies": {
"react": "^19.0.0",
"react-dom": "^19.0.0",
"next": "15.3.4"
},
"devDependencies": {
"typescript": "^5",
"@types/node": "^20",
"@types/react": "^19",
"@types/react-dom": "^19"
}
}npm install jotai
yarn add jotai
pnpm install jotainpm install daisyui
yarn add daisyui
pnpm install daisyui
"Software engineering is programming integrated over time.”
After a while...
Unused or missing dependencies
npm install react-router
import { cookie } from "cookie";
const setCookie = cookie.serialize("foo", "bar");
Missing or unused dependencies
Knip
Slow application (load)
-
monitor direct (and total) dependencies count
-
monitor bundle size
-
analyze bundle
Slow application (load)
-
webpack performance
-
Angular budgets
-
vite-plugin-bundlesize
Slow application (load)
-
vite-bundle-visualizer
-
webpack-bundle-visualizer
-
rollup-bundle-visualizer
Slow application (load)
Version conflicts
Version conflicts
-
update packages
-
overrides / resolutions
Version conflicts
"resolutions": {
"left-pad": "1.1.0",
"d2/left-pad": "1.1.1",
"c/**/left-pad": "1.1.2"
}License
License
-
webpack-license-plugin
-
rollup-license-plugin
-
license-compliance
Security vulnerabilities
audit command
Security vulnerabilities
-
Dependabot
-
Renovate
-
Snyk
Supply chain attacks
-
Fix versions
-
Private package registries
-
Isolate build env / 3rd party tools
Update hell
-
npm-check-updates
-
yarn upgrade-interactive
-
pnpm update -interactive
Update hell
-
always use lock files
-
(almost) never delete them
Update hell
Update often?
Patches and minor versions
Broken or unmaintained
-
remove
-
patch-package
-
fork the repository
This is already enough work...
Enter monorepos
same challenges as before
+++
-
a lot more packages
-
internal dependencies
-
version conflicts
-
redundant installations
-
inconsistent CI/CD
-
etc
Challenges
Lerna
=> workspaces
workspaces
workspaces
{
"workspaces": [
"apps/*",
"packages/*",
]
}workspaces
Centralized Dependency Management
workspaces
-
hoisting
-
shared packages
-
one command to install everything
-
run commands in each package
-
etc.
Lerna? 😢
-
Versioning
-
Publishing
-
Do we publish packages?
-
How do we want our teams to use packages?
-
How do we want to update to new versions?
Monorepo management
Dependency dilemma
-
Single version policy
-
Independent versions
-
Hybrid approach
Single version policy
{
"name": "my-next-app",
"version": "0.1.0",
"private": true,
"scripts": {...},
"dependencies": {
"react": "^19.0.0",
"react-dom": "^19.0.0",
"next": "15.3.4"
},
"devDependencies": {
"typescript": "^5",
"@types/node": "^20",
"@types/react": "^19",
"@types/react-dom": "^19"
}
}Single version policy
{
"name": "my-shared-module",
"private": true,
"scripts": {...},
"dependencies": { },
"devDependencies": { }
}Single version policy
-
Team coordination is possible
-
Consistency is critical
-
Reduced maintenance overhead
No (individual) build
No (individual) build
{
"name": "my-package",
"exports": {
".": "./lib/lib.ts",
"./lib": "./lib/lib.ts",
"./feature": "./feature/myFeature.ts",
"./component": "./component.tsx"
}
} -
Teams Need Autonomy
-
Incremental Upgrades Required
-
Projects are Loosely Coupled
Independent version
Independent version
Hybrid approach
Critical Dependencies Centrally Managed
Specific tools for monorepos
-
NX
-
Turborepo
-
Rush
Special mention
What (else) can we do?
-
add as few dependencies as possible
-
have a process for adding dependencies
-
view dependencies as tools
Deliver value to our users
Dependency management
By Adrian Faciu
