Phase 4 of 5  ·  Modern Engineering
Week 14 / 20   ·   Ch 15

Software
Reuse

"How npm changed software engineering — and the risks nobody told you about"

📚 Ch 15 — Software Reuse📦 npm / PyPI / Maven⚠️ Dependency Risks⏱ ~20 min read

🔍Concept Deep Dives

Click each concept to expand — real examples, diagrams, pros & cons.

📦

Benefits of Reuse

Faster delivery, lower cost, battle-tested code, reduced risk.

When to Use

Almost always — ask 'does this already exist?' before building.

Real-World Example

Building auth? Use Passport.js. Need payments? Stripe SDK. Need ML? scikit-learn. Time saved: weeks.

✓ Advantages

  • Faster time to market
  • Lower development cost
  • Proven, tested functionality

⚠ Watch Out

  • Must evaluate before trusting
  • License considerations
  • Version management overhead
Build from scratch: 8 weeks Use open-source library: 2 days Use SaaS (Auth0, Stripe): 4 hours → Choose based on control vs. speed trade-off
⚠️

Reuse Risks

Dependency hell, supply chain attacks, license conflicts, obsolescence.

When to Use

Before adding any dependency — evaluate the risk.

Real-World Example

Log4Shell (2021): one vulnerability in a logging library (log4j) affected millions of systems worldwide.

✓ Advantages

  • Understanding risks lets you mitigate them

⚠ Watch Out

  • Transitive dependencies: npm install adds thousands of packages
  • Abandonware risk
Supply Chain Attack Example: left-pad removal (2016): 11 lines of code, 2.5 million npm downloads/day — broke the internet Log4Shell (2021): log4j CVE-9.3 CVSS score → Always audit your dependencies
🏗️

Application Frameworks

Frameworks provide reusable architecture + infrastructure for a class of applications.

When to Use

Starting any new application in a well-known domain (web, mobile, ML).

Real-World Example

Django provides: ORM, auth, admin, migrations, templating — you provide the business logic.

✓ Advantages

  • Architectural guidance built in
  • Convention over configuration
  • Large community

⚠ Watch Out

  • Framework lock-in
  • Framework updates can break your code
  • Opinionated = less flexibility
Framework provides: → Skeleton structure → Common utilities → Extension points You provide: → Business logic → Custom components
🔄

Software Product Lines

A family of related software products sharing a common architecture and components.

When to Use

When building multiple variants of the same product for different customers/markets.

Real-World Example

Android: core OS + customized by Samsung, Xiaomi, OnePlus with different features per market.

✓ Advantages

  • Systematic reuse across products
  • Economies of scale
  • Consistent quality

⚠ Watch Out

  • Upfront investment in platform
  • Governance overhead
Core Platform (shared) ↓ Product A (config A) + Product B (config B) + Product C (config C) → Same core, different configurations

📋Quick Reference

θ Ch 15 Cheat Sheet — Software Reuse
Reuse Benefits
Faster, cheaper, proven code. Always ask: does this already exist?
Dependency Hell
Conflicting transitive dependencies. Use lockfiles (package-lock.json) and audit regularly.
Supply Chain Attack
Malicious code injected via dependencies. log4shell, event-stream, ua-parser-js.
Framework
Provides architecture + utilities. You fill in business logic. Convention over configuration.
COTS
Commercial off-the-shelf software. Configurable, not customizable. ERP, CRM systems.
Product Line
Family of related products sharing common architecture. Systematic reuse at scale.
License
Check before using: MIT (permissive), GPL (copyleft), Apache 2.0 (permissive + patent).
θ
Sommerville's Key Points — Ch 15
Author's own summary from the end of the chapter.
  • 1Software reuse: using existing software components rather than building from scratch.
  • 2Benefits: lower costs, faster delivery, proven reliability.
  • 3Risks: dependency hell, supply chain attacks, license issues, obsolescence.
  • 4Generators of reuse: libraries, frameworks, COTS, services (SaaS/APIs).
  • 5Application frameworks: reusable software infrastructure defining system architecture.
  • 6Software product lines: family of related systems sharing common architecture.

🧠Quiz — Test Yourself

Think through your answer first, then reveal.

Q1
Recall
What is a supply chain attack? Give a real example.
A supply chain attack compromises a software dependency to attack the systems that use it. Example: Log4Shell (2021) — a vulnerability in the log4j Java logging library (CVSS 9.3) allowed remote code execution. Used by millions of systems. One open-source library, global impact.
Q2
Apply
What is the difference between a library and a framework?
Library: you call it (inversion of control is yours). You use the library's functions when you need them. Example: requests library in Python. Framework: it calls you (Hollywood Principle: 'Don't call us, we'll call you'). You fill in the extension points. Example: Django — it handles the HTTP request cycle, you write the view functions.
Q3
Analyze
Why might you choose to build something from scratch instead of reusing an existing library?
When: library doesn't exist. Existing libraries have prohibitive licenses (GPL when you need commercial). Security-critical component where you need full control. Library has too many transitive dependencies. Your requirements are so specific that adapting a library costs more than building. Performance requirements the library can't meet.
Up Next → Week 15
Component-Based Engineering
Lego-style software — what component-based engineering really means
Continue → Week 15