Twelve-Factors in practice - Part II - Dependencies

Explicitly declare and isolate dependencies


Twelve-Factors in practice - Part II - Dependencies

Explicitly declare and isolate dependencies

The second of a 12 part series on how to use Twelve-Factor App in practice. This entry is written in collaboration with my good friend and (twice/double) former coworker Mycha de Vrees.

We will be implementing based on my/our combined experience on how to deal with dependencies.

The takeaway of this post is defined your dependencies as specify as strict as possible. Yes, in most cases pinning major and minor version should be enough but pinning the patch version should make sure of this.

LanguagePackage manager
NodeJSnpm / yarn


Python uses a requirements.txt file which is managed by PIP

Installing PIP

curl --silent --show-error | sudo python

# Specific version of python
curl --silent --show-error | sudo python2

curl --silent --show-error | sudo python3

curl --silent --show-error | sudo python3.6

More on install options can be found at

Listing installed

Listing all installed versions is done with pip freeze

Please note that this is not advised outside of a virtual environment. For example; you’ll have docker-compose installed (via pip) globally, handy tool, but not specific to a project and not a dependency of your working project. Running pip globally, i.e. outside of a specific environment will include such tools in your requirements.

pip freeze > requirements.txt


Below is a short example external links are based on Git, a full list can be found at

# default

# pinned version options

MyPackage==3.0 [PDF]

-e git://
-e git+
-e git+ssh://

# GIT - Specific branch/tag/commit
-e git://
-e git://
-e git://


NodeJS uses NPM (or Yarn) to manage dependencies, this is done via package.json to define it and package-lock.json to pin it.

package.json vs package-lock.json

The major difference, in short, is that package.json allows version ranges, ^, >=, <=, and package-lock.json pins it to a specific version.

Lets say I have a requirement with version ^5.1.0 and next week 5.1.1 is released package.json allows us to both multiple version while package-lock.json will make sure person A this week will install the same version as person B next week.

The lock file will be generated by npm install if it is not present.


npm is a package manager for the JavaScript programming language. It is the default package manager for the JavaScript runtime environment Node.js.


Yarn is an alternative to the default npm manager. Yarn is created by Facebook due to issues with consistency, security and speed.

package.json example

Within the file, amongst a lot of other things, you’ll find the following; dependencies and devDependencies the difference should be fairly simple.

Dependencies for stuff you need in the final product / in production, devDependencies for the rest of the stuff you need while developing (and/or testing).

    "dependencies": {
      "vue": "^2.5.2"
    "devDependencies": {
      "autoprefixer": "^7.1.2",
      "babel-core": "^6.22.1"

See also