You're probably familiar with JVM, or the Java Virtual Machine. It's a standard diagnostic interface used to test Java software; so standard, in fact, that Mykel Alvis (@mykelalvis) of Array Consulting urges developers to think beyond its testing capabilities. They need to think about repository managers.
“If you take away anything from the talk today," he told attendees of the Nexus User Conference, "it is this: please use a caching, and preferably security-scanning, artifact repository in your development practice.”
“Data suggests that dependency management is very important," he continued, drawing on personal experience and specific examples. “Dependency management is a frequently ignored constraint.”
What Is a Repo Manager?
Here’s a brief explainer. A repo manager allows developers to store artifacts so they can:
- Reference them across time
- Prevent them from being overwritten
Additionally, a repo manager gives developers:
- a way to proxy artifacts from the interwebs
- a target for security scanning
Minimize Risk with a Repo Manager
Mykel went on to urge views to consider the risks if they don’t include a repo manager in their toolset. For example:
Protection against risks that other people take. Individual risky behavior might directly affect you. A classic example is the huffy removal of 11 lines of npm code in 2016. One man’s tantrum almost “broke the internet.”
Protection against your own dumb behavior. (Hey, we’re all guilty!) “Transitive dependency graphs are rarely analyzed fully,” said Mykel. Repo managers can help you figure out what went wrong. Also, if you cache everything, you can roll back.
Watch Mykel’s full presentation here.