#4-2019-Sep-“How to depend on a 3rd party package?”

This article is an attempt to formalize my strategy for how to depend on a 3rd party package. I describe my procedure in the following scenarios:

  1. first-time-use-3rd-party-package

  2. you-need-to-customize-a-3rd-party-package

  3. you-need-to-upgrade-a-3rd-party-package-for-your-current-project

  4. security-failure-on-a-package-used

  5. summary

First time you use a 3rd party package

  1. (Optional) Check for alternatives

  2. (Optional) Determine why do I need this?

  3. github_stars < 10 and not trustable(repo_owner) –> ABORT!

  4. github_stars < 1000 –> perform a quick analysis of dependencies and check the code

  5. pip install {package_name} –> notice that I am not installing from repo. most_recent != most_reliable

  6. (Optional) Read through the documentation

  7. (Optional) Read through the src code and tests

You need to customize a 3rd party package

  1. pip install package

  2. copy src dir (/Users/espen/workspace/compilers/python/lib/python3.7/site-packages/faust) to your local src directory /Users/espen/workspace/ea_code/python/src

  3. make changes

  4. if want_pull_request 5. fork into external 6. copy over changed files 7. checkout branch and perform changes 8. create a pull request

  5. if pull_request_accepted_and_released 10. pip install updated_package 11. remove local src dir.

You need to upgrade a 3rd party package for your current project

pip install -u {package_name}

  • Only new projects should use the latest version <– no extra cost of starting from the new version

  • Old projects should continue to use the previous version <– if it is working don’t break it!

Security vulnerability on a package used

  1. Use safety for detecting vulnerabilities.

  2. Upgrade all projects that depend on the package

What does this require from your CI/CD system?

  1. 3rd party dependencies must be locked during deployment

  2. CI system must run safety

  3. (Optional) CI system should generate 3rd party dependency files automatically


Managing dependencies is hard. Each of your projects has its contracts, aka. API, interface, etc. You should guarantee your contract by consistently running tests on it.

For me, it is always a risk to upgrade 3rd party packages. And since I don’t enjoy maintaining as much as I enjoy creating. I would rather have outdated packages than breaking something that works.