Abandoned Code: The Hidden Risks of Using Unmaintained Software
📖 Story time
Once upon a time, I was working on implementing sending emails in a Flask application. Since it was my first time working with emails in Flask, I went to Google to check out how others do it. I went through a few articles and figured out I should use a package called Flask-Mail, since every post I’ve read uses it.
While talking to a coworker he mentioned I should double-check if that library is still maintained. He made a good remark - when I checked the repository I saw that the last commit to the library was 9 years ago! 😱
In disbelief I went back to Google to check other articles about sending emails in Flask. I realised that the top 20 search results all used Flask-Mail, the package that wasn’t maintained for 9 years! Even the famous The Flask Mega-Tutorial by Miguel Grinberg was still using Flask-Mail.
What’s worse, the articles listed weren’t old, they were all from a few years ago.
It seemed that the Flask-Mail was still being heavily used. That was confirmed by the fact that it had around 390k downloads last month.
👉🏻 Some finger pointing
I had a suspicion Flask-Mail wasn’t the only unmaintained package that was still being used extensively. To see if this is true I checked out the top 200 Python packages by monthly downloads on PyPI.
These are some of the packages I found (downloads numbers are from the last month - source):
isodate - 79M downloads. No new code nor activity by the author in the repo for 2 years.
et_xmlfile - 60M downloads. No new code nor activity by the author in the repo for 2 years.
msrest - 30M downloads. No new code in the repo for 2 years. Also, README says: This package is deprecated and no longer receives updates.
It seems that last month there were around 170M downloads of packages that aren’t maintained anymore. And that is just for a small fraction of Python packages. Ouch.
💣 Problems with using unmaintained packages
Some might say that it shouldn’t be a problem that the package is unmaintained. That the package has all the features polished and that it doesn’t need updating.
Yet, there are serious problems when using packages that are not maintained. Especially for such long periods of time.
🪲 1. Security issues and bugs
There might be serious security issues and bugs in the package, either in the code or in some underlying package. If someone is not maintaining the package, these things might go unnoticed.
Using that kind of third party software could significantly harm the application and the company using it.
🖥️ 2. Updating the software
Whether you are using Python or any other language/framework, it is getting updated constantly. New features are being added, interfaces are being changed and functionalities are being deprecated. At some point you’ll probably be forced to update some of you project’s dependencies.
If you are using some unmaintained package you might get into a situation in which that package is not working anymore.
At that point you’ll have few options:
to find a replacement for that unmaintained package
to remove it in a way that you don’t need a replacement
to fork the repository and try to fix the problems in the package by yourself
Whatever you do you will need to put in additional effort to fix that issue. Changes in the code might also mean additional testing. It definitely means additional time spent. And for a company that means additional cost 💸 .
💭 Conclusion
We have seen that there are a lot of projects using unmaintained packages and libraries. People and teams are often not diligent enough when checking the third party packages they are using inside their software.
Let this article be a reminder to you next time you are adding some new package - to check if that package is still being maintained. Even if it seems everyone is using it, like in the Flask-Mail case. It might save you some headache down the line.
Thank you for reading this article! Please comment and let me know if you have any feedback.
True. I observed this. Its kind of scary.
There are 256 packages out of top 1000 packages that didn’t get updated for more than 1 year. In that 128 packages out of top 1000 packages didn’t get updated for more than 2 years but still, so many of us using them.
Like that several patterns I saw. Mentioned about it in my article also about this - https://python.plainenglish.io/my-observations-of-the-python-ecosystem-3ad2adb6662c