Dependency Management

01 — Purpose

npm install is easy; living with packages is not. Transitive deps, security advisories, bundle weight, and breaking upgrades accumulate silently until upgrades become a quarter-long project.

See JavaScript cost and JS module architecture.

02 — Principles

audit dependencies regularly — security, maintenance status, overlap
minimise package count — one tool per job, not three date pickers
prefer native platform features — fetch, Intl, CSS, semantic HTML before libraries

03 — Practice

require justification for new deps — problem, alternatives considered, bundle impact
pin and update on a schedule — not only when something breaks
run automated audits — npm audit, Dependabot, or equivalent in CI
measure bundle impact — see performance budgets before adding heavy clientside libraries
document why a dep exists — future you should not fear removing the wrong one

04 — Avoid

unnecessary libraries — lodash for one function, moment for one format
abandoned packages — no releases, open CVEs, unmaintained transitive trees
duplicated functionality — two HTTP clients, two state managers, two CSS frameworks
installing dev tools into production bundles by mistake
ignoring third-party script weight — see third-party performance

05 — Close

Schedule quarterly dependency reviews. Remove unused packages. Replace small deps with native code where maintenance cost exceeds benefit.

See frontend security checklist, JavaScript cost, and progressive enhancement strategy.

Every package is a commitment

Dependencies are long-term commitments

Good dependency management

Dependency debt

Default to no