profile

Kristijan Kralj

How to win a risky game of using libraries/nuget packages

Published 11 months ago • 2 min read

#1 underestimated risk in .NET projects:

Libraries you add to your code.

Yes.

They are necessary in every project.

Yes.

They speed up development massively.

But, I've faced many maintenance issues while working with libraries in the past 12 years.

The most expensive time it happened to me?

I was working on a project where I had to parse incoming Excel files.

For that, I used EPPlus, a popular open-source library for handling Excel files. The library was great and made development faster and easier.

But several months into the project, after we completed a lot of features:

  1. EPPlus became a paid product and required a commercial license.
  2. It meant we either upgraded or got stuck on the 4.5.2 version. And miss out on new features and critical security updates.
  3. The company eventually decided to upgrade since Excel import and manipulation were critical for onboarding new clients to a platform.
  4. So they decided to buy 5 licenses for my team.

Each license cost $409 per developer per year (a total of $2,045). In this case, the ROI of using this library was greater than the cost.

But when you lock in on a library, you need to be prepared for things like this.

After all, every library you add is a maintenance burden and a risk.

Common risks when using libraries (and how to minimize them)

Here are some common risks when using NuGet packages:

  • An open-source library becomes commercial - as explained above, it happened to me.
  • Library goes obsolete - and no-one maintains is anymore. Best case, you rely on someone from the open-source community to fix the bugs. Or delve into source code and fix it yourself.
  • Security issue - a security issue in the dependency means a security issue in your application.

To minimize the risks:

  • Abstract libraries behind interfaces you create. This makes changing libraries a lot less of a challenge.
  • Minimize the number of libraries. Don’t import the whole library if it contains something you could easily build in a few hours. The next section will help you with this.
  • Upgrade as frequently as possible. Take a look at the last part of the email if you want to automate NuGet upgrades.

4 wickedly effective questions you have to ask before adding a library

Before adding a new library, here are 4 questions I have:

  1. Is it popular? How many downloads does it have?
  2. Is it actively maintained? How many developers maintain it?
  3. Could this library introduce a major security issue to my project?
  4. How easy, straightforward, and fast could I build library features I will use?

Based on the assessment, I either decide to:

  • Use the library
  • Look for an alternative.
  • Build my own solution if it doesn’t require too much upfront work and ongoing maintenance. But be careful so you don’t fall into reinventing the wheel trap.

How to update libraries automatically using GitHub robots

You can use a built-in GitHub app to automate NuGet version upgrades:

Dependabot.

Dependabot is a GitHub feature that makes it easy to update your NuGet packages. It can also notify you when the package you use has a security bug.

But it’s not limited to NuGet. It also supports:

  • npm
  • Gradle
  • Maven
  • Docker
  • … and many more

To enable it, follow the instructions on this page.

After you set up everything, you will start to get automated Pull Requests:

As a summary:

Be picky. Use libraries.

But treat them as a potential liability.

Not as an asset.

Enjoy your weekend.

Kristijan

P.S. I would love to hear from you. If you enjoy the emails, please let me know here. Thanks!

Kristijan Kralj

Helping .NET developers advance their careers by mastering cutting-edge technologies and industry best practices.

Weekly newsletter packed with code-improving tips, tools, and strategies to become a better .NET developer.

Read more from Kristijan Kralj

Lately, I’ve been paying more attention to what’s happening in the AI space. Maybe because of all the hype that surrounds it. Maybe because of the anxiety of whether AI will take my software development job. That's why I’ve decided to spend some spare time during the Xmas holiday to explore the state of AI software development tools. This email combines: My 1+ years of experience using a paid version of GitHub Copilot. 5+ hours of YouTube videos I’ve consumed in the last 2 weeks. So, let’s...

5 months ago • 4 min read

Today's issue is brought to you by the C# 13 and .NET 9 – Modern Cross-Platform Development Fundamentals. Build confidence in creating professional and high-performance web applications using the latest technologies in C# 13 and .NET 9 by Mark Price. Find out more here: C# 13 and .NET 9 Yesterday, We had a company Xmas party. Before dinner at a restaurant, we went to the escape room event. If you are unfamiliar with escape rooms, they're interactive puzzle experiences where you and your...

5 months ago • 4 min read

2 weeks ago, .NET 9 was released. If you haven’t had time to read the official release docs, don’t worry. I spent 1 hour investigating what's new in .NET 9. So you don't have to. Here are the top 10 improvements for C#, ASP.NET Core, and EF Core. 1. LINQ Index LINQ has always been an extremely useful tool for .NET developers. However, with .NET 9, LINQ comes with 3 new methods. Let's begin with the LINQ Index. The Index method places every collection element against its position within that...

6 months ago • 3 min read