Blog

Gavin Pickin

May 18, 2022

Spread the word


Share your thoughts

Why should I use 3rd party libraries vs Roll my own?

There is always a trade-off between using a 3rd party library and rolling your version in software development. I often hear many of these points in discussions, but I wonder how many people know and consider them, so I wanted to share my pros and cons.

TLDR

This article will help convince you that libraries are not EVIL like so many haters believe. Choosing the right libraries make you more productive and efficient, not lazy. This article identifies solid use-cases for using a 3rd party library in your application. It gives you a checklist of questions to help you identify the red flags of unsafe, unreliable, poorly supported, or ill-suited libraries.

Pros/Benefits of using 3rd Party Libraries

These are the pros of using the 3rd party libraries. Using a library that is not a good fit might not have all these same benefits.

  • Saves time The biggest and most well-known pro is saving time. Using a 3rd party library lets you focus on your application's core business logic and allows someone else to focus on the knowledge and expertise required to handle the other logic in this Library. Of course, you will still have to read the manual and integrate the Library into your app, but that is still a tiny percentage in comparison.

  • A 3rd party library can fill in your expertise gap. As software developers, we are usually well versed in a lot of technology, or we believe in our ability to learn technology. Still, our hours of research will never compete with the knowledge and experience of those writing reputable 3rd party libraries. A perfect example here is cryptography libraries. There is seldom a good reason for you to write one of these. Note: A wrapper to an existing library is a different scenario.

  • It makes you use Modular Code. Using well-built 3rd party libraries encourages low coupling in your code (good software design principle).

  • Use Pre-tested Code A 3rd party library is used by other people, and their usage is one form of code testing. Use could have already found a lot of bugs from a well-built and used 3rd party library. Well-built 3rd party libraries will usually have tests to catch edge cases and stop regressions. Example Quick and qb - lots of tests to ensure your Database Queries work https://github.com/coldbox-modules/quick and https://github.com/coldbox-modules/qb

  • Bug fixes and Security Updates. Just because you haven't found a bug or security hole doesn't mean it isn't there. With a library, you benefit from more eyes on the code and lots of other people using the Library, finding and identifying those bugs and security issues. With well-maintained projects, bugs should be fixed in a timely manner, and most importantly, it does not always fall back on you.

Cons/Costs of using a 3rd party library

  • Dependency Your code is coupled to that Library. If they change their Library, you might need to change your code to match. Solution: Lockdown to a specific version and write an abstraction layer to handle changes behind the scenes when things change.

  • Lack of Support Not all projects are the same. Not all 3rd party libraries have teams of people to maintain, document, fix, and evangelize.

  • Code Responsibility Including a 3rd party library means taking responsibility for that code in your application. It's still a win in most cases, but if your application breaks, you have to fix it, whether in your code on a library you chose to use. Well-maintained libraries might fix bugs quickly or require pull requests from the community to fix them. Until a fix is released, you might have to patch the issue yourself while you wait.

  • Differences of Opinion: Bug vs. Feature Some libraries might have a piece of code that works one way, whereas you think it should work another. You might think it is a bug, and they might think it is a feature. Open Source means you own the code, but not the maintainers, and in the end, the maintainer's vision for the Library is what goes. Solution: With Open Source, it usually means you can always fork the Library and develop it with your visions, but you will lose a lot of the other benefits of using a 3rd party library. Note: Your fork may become the way to do it if others agree with you! In that case, everyone can win.

How to evaluate a 3rd Party Library

Pros and cons are one thing, but in the end, it is your code you are installing this 3rd party library, so you need to ask yourself some questions and make the decision. You have to weigh the benefits against the costs of using the 3rd party library. Below are a few of the questions you should consider.

  • How popular is the Library? If the Library is popular, all the pros are boosted, more eyes, more support, more maintainers, more extensive and more active community. A new or unpopular library is not a red flag, but a popular library has a lot of pros.

  • Is the Library well recommended? A library well used by the developer community is a good indicator for using it. Does the Library have a community? Are there many people recommending the Library on Twitter, StackOverflow, and word of mouth? Recommendations can be compelling, and finding other developers to discuss the Library is valuable in evaluating, integrating, or debugging. Does the Library have a home for its developers to communicate, forum, Slack, etc.?

  • Is the Library well written? Is the code written with sound software design principles? Does it use design patterns, thought our structure, configurable, low coupling, consistent formatting, and code comments? Is the readme file included, up to date, and detailed? Are there tests, are the tests up to date, have good code coverage, and do they pass?

  • Is the project alive and well maintained - look for a public issue tracker and documentation. A possible indicator - is the project releasing updates in a semi-regular fashion? Is the issue tracker publicly available? Does it show activity, do issues get resolved, or do they go there to die? Is documentation up to date? Is their website up to date? If they have a forum or community, is there much traffic, is it supportive, has recent posts, and is it full of unanswered questions, or does it include solutions too?

  • Is the Author/Maintainer reliable? After looking at this current Library's code and life and maintenance, you might want to look into the Author / Core Maintainers. It might be a red flag if the author has a history of many short-lived projects.

  • Is this Library solving a problem worth solving? Is this Library solving a problem that my language or framework already handles, or can I easily manage most of this? If this is the case, a lot more code for a simple convenience helper might not be worth it, especially if it is not using knowledge or expertise to perform the function Example: getRealIP() - CFML can get you the remote IP address of the user, but with different routers, web servers, proxies, etc., getting the REAL IP is a little trickier, and a library can handle those use cases, and if something changes, the Library can be updated, improving your code without needing to learn more about proxy header changes.

  • Is this Library solving my problem or everyone's problem? Suppose you only need a small percentage of a library, or the Library only solves a piece of your requirements. In that case, you might have to either change the Library or roll some of your code in addition to what the Library is solving. If so, you might not want to use that Library for a small short-term win.

  • Is using this Library a security risk? Open Source software usually has more security pros than cons. It can be a target for hackers, where your code might have bigger holes, just less well-known. Check to see if that Library has known issues or if there is chatter about known hacks. If the project is well maintained, they should jump on security issues quickly. Another thing to consider is their security model. Do they have pretty open commit rights and a structured pull request system? This will help minimize the risk of a "bad actor" committing potentially malicious code to a reputable library.

  • What type of license does the Library have? A 3rd party library license can control how you use the Library and how your app has to be licensed if you use the Library. More information on Open Source Licenses can be found here. https://www.whitesourcesoftware.com/resources/blog/open-source-licenses-explained/

ForgeBox

Stop reinventing the wheel, search for a package, install it and create beautiful apps. Leverage our extensive package directory for modules, frameworks, libraries and even Lucee Extensions. ForgeBox is the place to find reusable modules for your web applications.

ForgeBox is the package repository and software directory for ColdFusion (CFML). Just leverage CommandBox CLI so you can also contribute to this directory and build amazing reusable code.

Browse Packages on ForgeBox

Get Started!

Add Your Comment

Recent Entries

Partner with BoxLang and Ortus at Into the Box 2025: Empowering the Future of Modern Software Development!

Partner with BoxLang and Ortus at Into the Box 2025: Empowering the Future of Modern Software Development!

At Ortus Solutions, we’ve always been at the forefront of innovation in the ColdFusion ecosystem. From pioneering modern ColdFusion practices to developing cutting-edge tools and frameworks, we’ve been passionate to help and sup[port the community into shaping the future of web development.That’s why we decided to build BoxLang, our new JVM programming language that not only builds on the strengths of ColdFusion but takes modern software development to the next level.

Maria Jose Herrera
Maria Jose Herrera
December 23, 2024
Why BoxLang When You Have Kotlin, Groovy, Scala, and more…

Why BoxLang When You Have Kotlin, Groovy, Scala, and more…

As we approach a stable release of BoxLang and our continued marketing reaches more folks, many have asked about its purpose. Why create a new language when the JVM ecosystem already includes established languages like Kotlin, Groovy, and Scala, to name a few.

Luis Majano
Luis Majano
December 18, 2024