git submodule

Avoid Spaghetti Dependencies in Software Engineering

21 Jun 2026 — 6 min read

Avoid spaghetti dependencies with this simple strategy for monorepos.

To keep dependencies tidy, organize code in a monorepo and enforce explicit module boundaries using tools like git submodule and CI/CD checks.

Key Takeaways

Monorepos simplify dependency visibility.
git submodule creates clear ownership.
CI/CD can automatically reject hidden imports.
Layered architecture prevents cycles.
Documentation anchors the strategy.

When a build failed last month because a utility library was pulling in an internal API that no one had declared, I realized the team was suffering from classic spaghetti dependencies. The codebase spanned several GitHub repositories, each with its own versioning schedule, and the CI pipeline only ran a shallow lint at the top level. The hidden import caused a runtime error that slipped through the cracks, delaying the release by two days.

Spaghetti dependencies are tangled, implicit relationships between modules that make it hard to understand who relies on what. They often arise when teams treat each repository as an isolated island but still share code without a formal contract. Over time, the import graph becomes a dense knot, and a single change can ripple across unrelated services.

My experience taught me that the most reliable antidote is to bring the code into a single monorepo and then enforce clear boundaries. A monorepo provides a unified view of the entire source tree, making it trivial to see every import statement. When combined with git submodule for third-party or legacy components, and a CI/CD pipeline that validates dependency rules, the risk of hidden couplings drops dramatically.

Why a monorepo matters for dependency hygiene

A monorepo is a single repository that contains multiple projects, libraries, and services. According to Wikipedia, an IDE is intended to enhance productivity by providing development features with a consistent user experience as opposed to using separate tools, such as vi, GDB, GCC, and make. The same principle applies to version control: a single source of truth reduces the friction of cross-repo coordination.

In a monorepo, every module lives under a predictable directory structure, for example:

src/
  auth/
  payments/
  utils/
  third_party/

This layout lets developers run a single git grep to discover all references to utils. The visibility alone discourages ad-hoc imports because you can see instantly who is pulling in which package.

Moreover, modern CI/CD platforms such as GitHub Actions or GitLab CI can compute a dependency graph on each push. By comparing changed files against the directory map, the pipeline can flag any import that crosses a defined boundary. This automated guardrail turns a manual code-review habit into a repeatable rule.

Step-by-step strategy to eliminate spaghetti

Identify logical modules. Break the codebase into cohesive units (e.g., authentication, billing, shared utilities). In my project we used domain-driven naming and recorded each module in a MODULES.md file.
Create a monorepo layout. Move each module into its own folder under src/. Preserve each module’s history with git filter-repo so blame remains accurate.
Define dependency rules. Use a linting tool such as eslint-plugin-boundaries or a custom script that reads a dependency.yaml file. Example rule: auth may depend on utils but never on payments.
Automate version bumps. When a module changes, a CI job updates its version in a CHANGELOG.md and publishes a tag. Downstream modules that depend on it must update their package.json or go.mod, making the dependency explicit.

Integrate checks into CI/CD. In a GitHub Actions workflow we added a step:

- name: Enforce module boundaries
  run: ./scripts/check-boundaries.sh

The script exits with a non-zero code if an illegal import is found, causing the build to fail.

Add git submodule for external legacy code. For a 2008 payment gateway that still runs on its own repo, we added a submodule:

git submodule add https://github.com/company/legacy-gateway.git src/third_party/legacy-gateway

This isolates the legacy code and makes its version explicit in .gitmodules. The submodule approach is highlighted in the Git Tutorial: 17 Essential Skills to Master.

These steps turn a chaotic web of imports into a disciplined, auditable process. Because the monorepo holds everything, a single pull request can be evaluated against the full dependency graph, and the CI system can reject any attempt to sneak in an unauthorized reference.

Comparison: Monorepo vs Multi-repo

Aspect	Monorepo	Multi-repo
Visibility of imports	Global search across all modules	Limited to each repo
Version coordination	Single commit triggers whole pipeline	Multiple release cycles
CI/CD complexity	One pipeline can enforce rules	Separate pipelines per repo
Tooling overhead	Initial restructuring effort	Ongoing cross-repo sync
Scalability	Works with modern build caches	May fragment teams

The table shows why many cloud-native teams favor a monorepo once they reach a scale where hidden dependencies become a bottleneck. The initial cost of migration is offset by the long-term reduction in accidental coupling.

Real-world example: CI/CD catching a hidden import

During a recent sprint, a developer added a helper function in src/utils/logging.js and imported it directly from src/payments/processor.js. Our check-boundaries.sh script flagged the violation because payments is not allowed to depend on utils - only auth can. The CI job failed, and the pull request was returned for correction. The developer moved the helper into src/payments/common, preserving the intended architecture.

This incident illustrates how a simple script, combined with a monorepo layout, can enforce design intent without requiring a heavyweight review. The feedback loop happens in minutes rather than days.

Best practices and common pitfalls

Document module boundaries. Keep the dependency.yaml file under version control and update it whenever architecture evolves.
Use code owners. Assign ownership in .github/CODEOWNERS so reviewers are automatically requested for changes in a given module.
Limit submodule depth. Nesting submodules can reintroduce hidden layers; keep them flat and treat them as immutable vendor packages.
Cache builds wisely. Modern CI platforms support incremental builds; configure caches per module to avoid rebuilding the entire monorepo on every change.
Watch for cyclic dependencies. A simple npm ls or go mod graph can reveal cycles that the lint rule might miss.

When I first introduced submodules, I made the mistake of committing generated files inside the submodule directory. This caused merge conflicts that rippled into the main repo. The lesson was to keep the submodule clean and use .gitignore to exclude build artifacts.

Integrating with existing dev tools

Most IDEs already understand monorepo structures. An IDE that supports source-code editing, source control, build automation, and debugging - such as Visual Studio Code or IntelliJ - can present a unified view without needing separate tools like vi, GDB, GCC, and make. This aligns with the definition of an IDE from Wikipedia, which stresses a consistent user experience.

To make the most of the IDE, enable extensions that highlight import statements crossing module boundaries. In VS Code, the Import Cost extension can be configured to show a warning when an import originates from a disallowed folder.

Learning resources

Developers new to git submodule often ask where to start. The Git Tutorial: 17 Essential Skills to Master offers a beginner guide that covers submodule initialization, updating, and removal. Pair that with a CI/CD tutorial from your platform of choice to see the checks in action.

In my next internal workshop I will walk the team through a "complete guide to git" that includes submodule workflows, branch policies, and automated linting. The goal is to demystify the command line and give developers confidence that they can manage dependencies without creating spaghetti.

FAQ

Q: What is a spaghetti dependency?

A: A spaghetti dependency is an implicit, tangled relationship between code modules that makes it hard to see who relies on whom. It often results from ad-hoc imports across multiple repositories without a clear contract.

Q: How does a monorepo help prevent hidden imports?

A: In a monorepo all code lives under a single directory tree, so a global search can reveal every import. CI/CD pipelines can then enforce rules that reject imports crossing defined module boundaries.

Q: When should I use git submodule inside a monorepo?

A: Use a submodule when you need to include an external or legacy repository that has its own lifecycle. The submodule records a specific commit, keeping the dependency version explicit while preserving a clean monorepo layout.

Q: Can CI/CD automatically enforce module boundaries?

A: Yes. A custom script or linting plugin can read a boundary definition file and exit with an error if a forbidden import is detected. Adding this step to the CI workflow blocks the build before the code is merged.

Q: What are common pitfalls when migrating to a monorepo?

A: Common issues include losing history during folder moves, unintentionally committing generated files in submodules, and under-estimating the initial restructuring effort. Planning the directory layout and using tools like git filter-repo mitigates these risks.