Dependency Management Strategy

This document outlines the dependency management strategy for Project Myriad, covering version management, security practices, and maintenance procedures.

Overview

Project Myriad follows a structured approach to dependency management that prioritizes:

Security - Regular updates and vulnerability scanning
Stability - Careful version selection and testing
Performance - Optimized builds and minimal dependency overhead
Maintainability - Clear organization and documentation

Dependency Categories

Core Android Dependencies

📖 For complete technology stack overview, see ARCHITECTURE.md - Technology Stack

This section provides specific dependency configuration and version management details:

Android Gradle Plugin:

// Top-level build.gradle.kts
plugins {
    id("com.android.application") version "8.13.0" apply false
    id("com.android.library") version "8.13.0" apply false
    id("com.android.test") version "8.13.0" apply false
}

Kotlin Language:

// Kotlin compiler and plugins
id("org.jetbrains.kotlin.android") version "2.2.20" apply false
id("org.jetbrains.kotlin.plugin.serialization") version "2.2.20" apply false
id("org.jetbrains.kotlin.plugin.compose") version "2.2.20" apply false

Build Configuration:

buildscript {
    extra.apply {
        set("buildToolsVersion", "35.0.0")
        set("minSdkVersion", 24)
        set("compileSdkVersion", 35)
        set("targetSdkVersion", 35)
        set("kotlinVersion", "2.2.20")
        set("composeVersion", "2024.02.00")
    }
}

UI and Presentation

Jetpack Compose:

dependencies {
    // Compose BOM - manages all Compose library versions
    implementation platform("androidx.compose:compose-bom:2024.02.00")
    
    // Core Compose libraries
    implementation "androidx.compose.ui:ui"
    implementation "androidx.compose.ui:ui-tooling-preview"
    implementation "androidx.compose.material3:material3"
    implementation "androidx.activity:activity-compose"
    implementation "androidx.navigation:navigation-compose"
    
    // Compose animations and additional features
    implementation "androidx.compose.animation:animation"
    implementation "androidx.compose.foundation:foundation"
}

Image Loading:

dependencies {
    // Coil for efficient image loading in Compose
    implementation "io.coil-kt:coil-compose:2.5.0"
    implementation "io.coil-kt:coil-gif:2.5.0" // GIF support
    implementation "io.coil-kt:coil-svg:2.5.0" // SVG support
}

Data and Networking

Room Database:

dependencies {
    val roomVersion = "2.6.1"
    
    implementation "androidx.room:room-runtime:$roomVersion"
    implementation "androidx.room:room-ktx:$roomVersion"
    kapt "androidx.room:room-compiler:$roomVersion"
    
    // Testing
    testImplementation "androidx.room:room-testing:$roomVersion"
}

Networking:

dependencies {
    val retrofitVersion = "2.9.0"
    val okhttpVersion = "4.12.0"
    
    // Retrofit for API calls
    implementation "com.squareup.retrofit2:retrofit:$retrofitVersion"
    implementation "com.squareup.retrofit2:converter-gson:$retrofitVersion"
    implementation "com.jakewharton.retrofit:retrofit2-kotlinx-serialization-converter:1.0.0"
    
    // OkHttp for HTTP client
    implementation "com.squareup.okhttp3:okhttp:$okhttpVersion"
    implementation "com.squareup.okhttp3:logging-interceptor:$okhttpVersion"
    
    // Kotlin Serialization
    implementation "org.jetbrains.kotlinx:kotlinx-serialization-json:1.6.0"
}

Architecture Components

AndroidX Libraries:

dependencies {
    // Core AndroidX libraries
    implementation "androidx.core:core-ktx:1.12.0"
    implementation "androidx.lifecycle:lifecycle-runtime-ktx:2.7.0"
    implementation "androidx.lifecycle:lifecycle-viewmodel-compose:2.7.0"
    
    // Navigation
    implementation "androidx.navigation:navigation-fragment-ktx:2.7.6"
    implementation "androidx.navigation:navigation-ui-ktx:2.7.6"
    implementation "androidx.navigation:navigation-compose:2.7.6"
    
    // Work Manager for background tasks
    implementation "androidx.work:work-runtime-ktx:2.9.0"
}

Coroutines and Flow:

dependencies {
    val coroutinesVersion = "1.7.3"
    
    implementation "org.jetbrains.kotlinx:kotlinx-coroutines-core:$coroutinesVersion"
    implementation "org.jetbrains.kotlinx:kotlinx-coroutines-android:$coroutinesVersion"
    
    // Testing
    testImplementation "org.jetbrains.kotlinx:kotlinx-coroutines-test:$coroutinesVersion"
}

Dependency Injection

Manual DI (Current):

// Currently using manual dependency injection
// Located in: app/src/main/kotlin/com/heartlessveteran/myriad/di/

object DIContainer {
    private val database by lazy { createDatabase() }
    val mangaRepository by lazy { MangaRepositoryImpl(database.mangaDao()) }
    val mangaUseCases by lazy { MangaUseCases(mangaRepository) }
}

Hilt (Future):

// Will be enabled when KAPT/KSP compatibility is resolved
// plugins {
//     id("dagger.hilt.android.plugin")
// }
// 
// dependencies {
//     implementation "com.google.dagger:hilt-android:2.48"
//     kapt "com.google.dagger:hilt-compiler:2.48"
// }

Code Quality and Analysis

Static Analysis:

plugins {
    // Kotlin linting and formatting
    id("org.jlleitschuh.gradle.ktlint") version "13.1.0"
    
    // Static code analysis
    id("io.gitlab.arturbosch.detekt") version "1.23.8"
    
    // API documentation generation
    id("org.jetbrains.dokka") version "2.0.0"
    
    // Test coverage
    id("jacoco")
    
    // Security scanning
    id("org.owasp.dependencycheck") version "11.1.0"
}

Testing Dependencies:

dependencies {
    // JUnit 5 for unit testing
    testImplementation "org.junit.jupiter:junit-jupiter:5.10.1"
    testImplementation "org.junit.jupiter:junit-jupiter-engine:5.10.1"
    
    // Mockito for mocking
    testImplementation "org.mockito:mockito-core:5.7.0"
    testImplementation "org.mockito.kotlin:mockito-kotlin:5.2.1"
    
    // Compose testing
    androidTestImplementation "androidx.compose.ui:ui-test-junit4"
    debugImplementation "androidx.compose.ui:ui-tooling"
    debugImplementation "androidx.compose.ui:ui-test-manifest"
    
    // Espresso for UI testing
    androidTestImplementation "androidx.test.espresso:espresso-core:3.5.1"
    androidTestImplementation "androidx.test.ext:junit:1.1.5"
}

Version Management

Version Catalog (Future Enhancement)

gradle/libs.versions.toml:

[versions]
kotlin = "2.2.20"
compose = "2024.02.00"
android-gradle-plugin = "8.13.0"
room = "2.6.1"
retrofit = "2.9.0"
coil = "2.5.0"

[libraries]
androidx-core-ktx = { group = "androidx.core", name = "core-ktx", version.ref = "core" }
androidx-lifecycle-runtime = { group = "androidx.lifecycle", name = "lifecycle-runtime-ktx", version.ref = "lifecycle" }
compose-bom = { group = "androidx.compose", name = "compose-bom", version.ref = "compose" }

[plugins]
android-application = { id = "com.android.application", version.ref = "android-gradle-plugin" }
kotlin-android = { id = "org.jetbrains.kotlin.android", version.ref = "kotlin" }

Dependency Updates

Update Strategy:

Security Updates - Immediate priority for security vulnerabilities
Stable Releases - Monthly review and update cycle
Beta/RC Versions - Testing in development branches only
Major Versions - Careful evaluation and migration planning

Update Process:

# Check for dependency updates
./gradlew dependencyUpdates

# Security vulnerability scan
./gradlew dependencyCheckAnalyze

# Generate dependency report
./gradlew dependencies > dependencies-report.txt

Compatibility Matrix

Android API Compatibility: | Component | Min API | Target API | Compile API | |———–|———|————|————-| | Core App | 24 | 35 | 36 | | Compose UI | 21 | 35 | 36 | | Room Database | 16 | 35 | 36 | | Work Manager | 14 | 35 | 36 |

Security Practices

Vulnerability Management

Automated Scanning:

// OWASP Dependency Check configuration
dependencyCheck {
    format = "ALL"
    suppressionFile = "config/dependency-check-suppressions.xml"
    failBuildOnCVSS = 7.0f // Fail on high severity vulnerabilities
    
    analyzers {
        // Enable specific analyzers
        assemblyEnabled = false
        centralEnabled = true
        nexusEnabled = false
    }
}

Manual Review Process:

Weekly Scans - Automated vulnerability scanning
Immediate Response - Critical vulnerabilities addressed within 24 hours
Assessment - Impact analysis for each vulnerability
Mitigation - Update or alternative solution implementation

License Compliance

License Tracking:

// Gradle license plugin (future enhancement)
// Apply license checking and reporting
tasks.register("licensee") {
    doLast {
        // Generate license report
        generateLicenseReport()
    }
}

Approved Licenses:

Apache 2.0 - Primary preference
MIT - Acceptable for most components
BSD - Acceptable with review
GPL - Requires legal review (avoid if possible)

Performance Optimization

Build Performance

Gradle Configuration:

# gradle.properties - Build optimization
org.gradle.parallel=true
org.gradle.caching=true
org.gradle.configureondemand=true
org.gradle.jvmargs=-Xmx4g -XX:MaxMetaspaceSize=1g

# Android build optimization
android.useAndroidX=true
android.enableJetifier=true
kotlin.code.style=official

Dependency Size Optimization:

android {
    packagingOptions {
        // Exclude unnecessary files to reduce APK size
        resources {
            excludes += "/META-INF/{AL2.0,LGPL2.1}"
            excludes += "META-INF/DEPENDENCIES"
            excludes += "META-INF/LICENSE"
            excludes += "META-INF/LICENSE.txt"
            excludes += "META-INF/NOTICE"
            excludes += "META-INF/NOTICE.txt"
        }
    }
}

Runtime Performance

ProGuard/R8 Configuration:

android {
    buildTypes {
        release {
            isMinifyEnabled = true
            isShrinkResources = true
            proguardFiles(
                getDefaultProguardFile("proguard-android-optimize.txt"),
                "proguard-rules.pro"
            )
        }
    }
}

Dependency Analysis:

# Analyze dependency sizes
./gradlew app:analyzeDependencies

# Check for duplicate dependencies
./gradlew app:dependencies --configuration releaseRuntimeClasspath | grep -E "\\+---|\\\---"

Module Structure

Core Modules

Core Domain:

// core/domain/build.gradle.kts
dependencies {
    // Pure Kotlin dependencies only
    implementation "org.jetbrains.kotlinx:kotlinx-coroutines-core:1.7.3"
    
    // No Android dependencies in domain layer
    testImplementation "junit:junit:4.13.2"
    testImplementation "org.jetbrains.kotlinx:kotlinx-coroutines-test:1.7.3"
}

Core Data:

// core/data/build.gradle.kts
dependencies {
    implementation project(":core:domain")
    
    // Android dependencies for data layer
    implementation "androidx.room:room-runtime:2.6.1"
    implementation "androidx.room:room-ktx:2.6.1"
    kapt "androidx.room:room-compiler:2.6.1"
    
    // Networking
    implementation "com.squareup.retrofit2:retrofit:2.9.0"
}

Core UI:

// core/ui/build.gradle.kts
dependencies {
    // Compose UI dependencies
    implementation platform("androidx.compose:compose-bom:2024.02.00")
    implementation "androidx.compose.ui:ui"
    implementation "androidx.compose.material3:material3"
    
    // Image loading
    implementation "io.coil-kt:coil-compose:2.5.0"
}

Feature Modules

Feature Dependencies:

// feature/vault/build.gradle.kts
dependencies {
    implementation project(":core:domain")
    implementation project(":core:data")
    implementation project(":core:ui")
    
    // Feature-specific dependencies
    implementation "androidx.work:work-runtime-ktx:2.9.0"
}

Maintenance Procedures

Regular Maintenance Tasks

Weekly Tasks:

Run dependency vulnerability scans
Review dependency update notifications
Check for new stable releases

Monthly Tasks:

Update non-critical dependencies
Review and update version catalog
Generate dependency reports

Quarterly Tasks:

Major version updates planning
License compliance review
Performance impact assessment

Emergency Procedures

Critical Vulnerability Response:

Immediate Assessment - Evaluate vulnerability impact
Quick Fix - Apply temporary mitigation if available
Dependency Update - Update affected dependency
Testing - Verify fix doesn’t break functionality
Release - Emergency release if necessary

Build Break Response:

Identify Cause - Determine which dependency caused the issue
Rollback - Revert to last known good version
Investigation - Analyze compatibility issues
Alternative - Find alternative dependency if needed
Update Process - Improve testing to prevent recurrence

Automation and Tooling

Dependency Update Automation

GitHub Actions Workflow:

# .github/workflows/dependency-updates.yml
name: Dependency Updates
on:
  schedule:
    - cron: '0 9 * * MON' # Weekly on Monday

jobs:
  update-dependencies:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Check for updates
        run: ./gradlew dependencyUpdates
      - name: Create PR for updates
        uses: peter-evans/create-pull-request@v5
        with:
          title: "chore: update dependencies"

Security Scanning:

# .github/workflows/security-scan.yml
name: Security Scan
on:
  push:
    branches: [ main, develop ]
  schedule:
    - cron: '0 2 * * *' # Daily at 2 AM

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run OWASP Dependency Check
        run: ./gradlew dependencyCheckAnalyze

Local Development Tools

Setup Scripts:

#!/bin/bash
# scripts/setup-dependencies.sh

echo "Setting up Project Myriad dependencies..."

# Check Java version
java -version

# Download dependencies
./gradlew build --refresh-dependencies

# Run security scan
./gradlew dependencyCheckAnalyze

echo "Dependency setup complete!"

Validation Scripts:

#!/bin/bash
# scripts/validate-dependencies.sh

echo "Validating dependency configuration..."

# Check for vulnerabilities
./gradlew dependencyCheckAnalyze

# Verify compatibility
./gradlew dependencies

# Check for updates
./gradlew dependencyUpdates

echo "Validation complete!"

Future Enhancements

Planned Improvements

Version Catalogs:

✅ Completed - Using Gradle version catalogs for centralized version management
✅ Implemented - Shared version catalogs across all modules in gradle/libs.versions.toml
Planned - Automate version catalog updates with Dependabot or Renovate