nasso

Almost every piece of documentation I can find recommends not checking in your dependencies in your repository. This is the way I'm used to doing it myself too. I haven't really reflected on why.

I can see some benefits to checking in your dependencies, for non shared private projects. You will be 100% free from external dependencies in your build process. Builds will be faster, easier and more robust. There is a guarantee that the project will be buildable in the future.

Imagine that you have a small service/application that is running internally on a company infrastructure. You don’t touch it for years, it just keeps running. Five years after the application was built the server breaks and you need to redeploy the application to a new server. There is a risk that some dependencies have changed. Maybe someone raged and removed a GitHub repository, maybe GitHub made some changes or doesn't exist anymore or is just down. There are a bunch of things that could become issues. Checking in your dependencies solves all that.

The negative effect is that your git repository grows in size. You can have separate commits for the updated dependencies but it will still be in the history.

Is that not a small price to pay to be free from external dependencies though?

Thoughts?