What We Learned from Studying 36,000 OSS Projects | Press Release

blog-logo Sonatype Blog

Repository Management: An Easy Way to Minimize Risk

July 05, 2019 By Katie McCaskey

You're probably familiar with JVM, or the Java Virtual Machine. It's a standard diagnostic interface used to test Java software; so standard, in fact, that Mykel Alvis (@mykelalvis) of Array Consulting urges developers to think beyond its testing capabilities. They need to think about repository managers. 

“If you take away anything from the talk today," he told attendees of the Nexus User Conference,  "it is this: please use a caching, and preferably security-scanning, artifact repository in your development practice.”

“Data suggests that dependency management is very important," he continued, drawing on personal experience and specific examples. “Dependency management is a frequently ignored constraint.” 

What Is a Repo Manager?

Here’s a brief explainer. A repo manager allows developers to store artifacts so they can:

  • Reference them across time
  • Prevent them from being overwritten

Additionally, a repo manager gives developers:

  • a way to proxy artifacts from the interwebs
  • a target for security scanning

Minimize Risk with a Repo Manager

Mykel went on to urge views to consider the risks if they don’t include a repo manager in their toolset. For example:

Protection against risks that other people take. Individual risky behavior might directly affect you. A classic example is the huffy removal of 11 lines of npm code in 2016. One man’s tantrum almost “broke the internet.”

Protection against your own dumb behavior. (Hey, we’re all guilty!) “Transitive dependency graphs are rarely analyzed fully,” said Mykel. Repo managers can help you figure out what went wrong. Also, if you cache everything, you can roll back.

Watch Mykel’s full presentation here.

 

 

Tags: repository manager, Nexus Repository, Nexus User Conference, Product

Written by Katie McCaskey

Katie is an experienced technology writer and entrepreneur. At Sonatype, she's focused on creating and finding great content.