What is "vendoring"?

language-agnostic terminology vendor

Solution 1:

Based on this answer

Defined here for Go as:

Vendoring is the act of making your own copy of the 3rd party packages your project is using. Those copies are traditionally placed inside each project and then saved in the project repository.

The context of this answer is in the Go language, but the concept still applies.

Solution 2:

If your app depends on certain third-party code to be available you could declare a dependency and let your build system install the dependency for you.

If however the source of the third-party code is not very stable you could "vendor" that code. You take the third-party code and add it to your application in a more or less isolated way. If you take this isolation seriously you should "release" this code internally to your organization/working environment.

Another reason for vendoring is if you want to use certain third-party code but you want to change it a little bit (a fork in other words). You can copy the code, change it, release it internally and then let your build system install this piece of code.

Solution 3:

Vendoring means putting a dependency into you project folder (vs. depending on it globally) AND committing it to the repo.

For example, running cp /usr/local/bin/node ~/yourproject/vendor/node & committing it to the repo would "vendor" the Node.js binary – all devs on the project would use this exact version. This is not commonly done for node itself but e.g. Yarn 2 ("Berry") is used like this (and only like this; they don't even install the binary globally).

The committing act is important. As an example, node_modules are already installed in your project but only committing them makes them "vendored". Almost nobody does that for node_modules but e.g. PnP + Zero Installs of Yarn 2 are actually built around vendoring – you commit .yarn/cache with many ZIP files into the repo.

"Vendoring" inherently brings tradeoffs between repo size (longer clone times, more data transferred, local storage requirements etc.) and reliability / reproducibility of installs.

Solution 4:

Summarizing other, (too?) long answers:

Vendoring is hard-coding the often forked version of a dependency.

This typically involves static linking or some other copy but it doesn't have to.

Right or wrong, the term "hard-coding" has an old and bad reputation. So you won't find it near projects openly vendoring, however I can't think of a more accurate term.

Related

IE crossing out pseudo element CSS?
How to debug code in NuGet package created by me
How do I get just the date when using MSSQL GetDate()? [duplicate]
Google Analytics SDK 3.0 _sqlite3 linker errors in iOS
When to use byte array & when byte buffer?
What's the difference between __builtin__ and __builtins__?
Get object property name as a string
Where do global npm packages get installed on Ubuntu [closed]
Difference between google() and maven { url 'https://maven.google.com' }
RequireJS: Difference between "requirejs" and "require" functions
can't load package: package .: no buildable Go source files
Visual Studio 2015- How to disable "based on your project, we have identified extensions you may find helpful" message?