Separate dependencies from source code
  • Updated on 22 Apr 2019
  • 1 minute to read
  • Contributors
  • Share
  • Dark
    Light

Separate dependencies from source code

  • Share
  • Dark
    Light

This rule prevents project dependencies dir from being mistakenly pushed into a projectโ€™s source code.

In general, it is best practice for the package manager to be responsible for downloading and managing project dependencies from an organization/remote binary artifacts repository.

Use case(s)

  • Streamline the review process by excluding code changes in dependencies, and thus greatly reduce the amount of files required to be reviewed
  • Committing dependencies considerably increases the size of the repository and slows down the SCM, IDE, and search tools
When files or dirs are added or removed (to or from the base branch), the files and dirs remain in the git history and are downloaded on every code checkout

When does this rule fail?

When a commit in the pull request contains a dependencies dir.

3x-2fbe0e5-Screen_Shot_2019-02-04_at_17.10.56.png

How to fix?

  1. Update the code to pull dependencies from a remote (or your organization) binary artifacts repository, for example, Nuget, Pip, Maven, Npm.js, etc.
  2. Remove the dependencies dir, and push the new code to your branch
$ git rm <dependencies-dir-path>
$ git commit -a -m "removed secret file from code"
$ git push
  1. Datree's policy check automatically ensures the dependencies dir is removed from the pull request


What's Next

Activate a policy
Was this article helpful?