The question
Should we declare requirements (again) that are a transitive dependency of another dependency already?
Yesterday I came across a PR that added some new dependencies to a composer manifest. My immediate reaction was: that is redundant!
After all, we don’t declare most of the Doctrine packages, since they are required by Doctrine ORM anyway. Makes for an easy to understand composer manifest. Then the thing got me thinking, and I decided to check what others think. Composer is not the only, nor the oldest dependency manager, after all. So these two are worth reading IMHO:
- https://stackoverflow.com/questions/4226756/maven-should-i-keep-or-remove-declared-dependencies-that-are-also-transitives
- https://softwareengineering.stackexchange.com/questions/320128/is-it-better-to-rely-on-transitive-dependencies-or-explicitly-declare-them/320151
And there is even a book dealing with this topic (among others, of course): Maven: The Definitive Guide
A conclusion?!
Now, after reading this, I tend to believe two things:
- We should declare any library/package that is actually used in the code
- This is a ton of work now and later
Sigh
So much work, so little time
Maybe now is the point where trying to be a good citizen in the Composer ecosystem comes back to haunt us. Because, yes, we should explicitly declare any use of our utility packages instead of just relying on the fact that Flow requires them anyway.
And of course we must explicitly require (at least) Commons and DBAL of Doctrine, since we use them actively in our code. Oh, and the Annotations package. Probably more, we’d need to check. Also other vendors, possibly.
And when we are done, we need to keep track of all those dependencies, and update them whenever needed and/or possible. Thinking about the work we already have with keeping all pour dependencies working, that makes me cringe.
Another conclusion?
So, opinions on that? We could continue with our policy of “no transitive dependencies are re-required”. If a dependency really “goes away”, we will notice. Maybe the extra work of debugging such a failure is a good tradeoff against having to work with those extra dependencies?