Open source programming languages, frameworks, and dependencies are often updated without developers being made aware of changes or keeping them up to date. We recommend running automated security checks against vulnerability repositories at a minimum to keep software up to date. For those progressive organizations where code changes frequently, we recommend staying on the cutting edge of software package versions. For Semantic Versioning (semver) qualified dependencies, we recommend waiting for a minor or patch release before adopting new major versions.
Explicitly declare and isolate dependencies
The full and explicit dependency specification should be applied uniformly to both production and development. While Docker containers can help with fully embedding dependencies, it is an approach that requires more DevOps overhead and is not required.
Vaporware recommends scripting development environment setup into single commands through a bin/setup methodology. This includes often overlooked things like consistently setting up git remotes and a repeatable database primer for local development.
At Vaporware, we are huge proponents of adopting external services to handle auxiliary functions. When products are still in an early discovery phase, we can even outsource core features to scalable providers.
This enables faster time to market and industry best-practices even early in a product’s lifecycle. With features like geolocation, notifications, payment processing, video calling, and chat streams there is often an open-source package or SaaS provider scaling some feature set of your application that previously would’ve taken months or years to develop.
At some point in SaaS product’s lifecycle, outsourcing external services may prove to be not cost-effective for your business model. If you’ve used an external service that has not changed in awhile, and your business process has not changed pertaining to it, consider in-housing those features or technology.
For example, we always recommend using Stripe’s subscription flow for new SaaS products. The flexibility and reliability of the system is unparalled. But Stripe is not the best payment processor on the market, as many payment gateways provide better rates. Consider partnering with them for the first few years to quickly iterate new payment models and take advantage of their expertise, but consider more cost-effective partners later.
This “rip and replace” model is easier if expected or predicted earlier on. To that end, we always recommend wrapping 3rd party services into “Service Objects” or other patterns that make replacement easy.