The software you are writing has dependencies. Probably on a lot of open source. If you are not fully aware of your dependencies you might be in trouble without even knowing. When you pull in a nice library that saves you a lot of work, that library possibly pulls in a lot of dependencies on it's own. The last time this bit us, was when we used a library that was too awesome not to use. It was written by a hero that we look up to and had a good story. But we ran into trouble when our application started building up a bit more load than average. It turned out that our hero also has a good story about how Java thread pooling can be improved and we unknowingly sucked in that dependency as well.
And you know what, it was really our own fault. I have written about how to prevent this before: http://blog.avisi.nl/2013/03/04/open-source-maturity/ and this story should be applied to your whole dependency tree. In our tree I found a piece of software looking like this:
- ...has had 45 commits made by 3 contributors
representing 90,577 lines of code
- ...is mostly written in Java
- ...has a codebase that exists just over a year
- ...was last released with a version tag 0.1.2-alpha1
ouch, version 0.1.2-alpha1, I don't have to explain what that means. So here's my advice: learn to use and understand the tooling that helps you understand what your software depends on. mvn dependency:tree, lein deps :tree, or whatever the command is for the tool you use...