Enterprise-Grade Node.js: Part 2
In part 1 of the story, I shared some ideas about the basic principles for building critical applications using node.js. In this part, I focus on the dependencies and automation.
Dependency Management
According to the latest Stack Overflow Developer Survey, everyone is a Full Stack JavaScript Developer (Node+Angular) with only a few years of experience.
When you install any package from npm, you depend on software, that these guys wrote. Do you trust their skills and their code? Do you really want to build your company on code you cannot control? You and your HR team spend a lot of time and money on hiring the best developers you can find, yet you trust these devs blindy?
You should not. I am not to say these are bad people and they are writing shit code, I am saying, I have no idea.
And I do believe this ecosystem is not ideal for critical applications. You install packages, without even realising. Even worse, sometimes the version numbers are not specified correctly in some package.json, and packages jump major versions without you knowing about it. Or the exact opposite, they still use old, deprecated versions of libraries. Is this secure? Absolutely not.
When getting a task, some developers tend to look for an npm package, install it, and kind of making it work. For instance, using passport-activedirectory for AD integration. Yes, it works, but it installs 3MB of packages on top of ldap.js, which by itself would do the job for you.
On this output above, you see the sheer amount of different packages installed. In a larger project, the size of the npm_modules folder can grow to hundreds of megabytes easily.
What To Do Then?
Do not install packages you do not necessary need. Write your own code, test and maintain it properly. For instance, you will probably never need this package.
Make sure to have exact versions in your package.json file.
Verify the security of your dependencies and update/replace if needed.
Join the open source community and report or fix issues that you find.
Automation
Manual operations are doomed to fail. Provisioning of servers, deployment, documentation, testing all should be automated to save time and avoid errors.
Dockerize. Containers are good for you. It is crucial to have the same envirnomemnt in production and in development.
Continuous Delivery. Define your processes (build project, generate docs, run tests, etc.), then automate them. We use Pipeline in Jenkins, when code is pushed to the repository, the pipeline runs automatically.
Automate early. While it is much greater effort at first, it pays off on the mid and long run. Once you have your CD in place, you can focus on software development.
