I have to laugh at that. The two biggest banks Goldman Sachs and JP Morgan are heavily mono repo.
It actually makes all certifications and auditing easier. The shared tooling/platform can be checked, everything else can ride on it. Half the questions of certifications are about tracking changes... easy when it's all tracked by the repo.
We've had to go through similar-to-PCI compliance hoops for our monorepo, and settled on a solution that didn't degrade the median developer's velocity too much.
I'm curious to know what other monorepo companies had to go through to satisfy the compliance people.
- Work best when you have an open culture
- PCI compliance will be annoying
- The obvious--everything in one place
- Need good tooling around keeping master building
- As they grow, become an uphill battle to use with an IDE
- Test are likely to slow down as the repo grows, so tooling around tests
- Usually lead to a rats nest of dependencies
- Third-party library upgrades can be painful
- Coupled with CD (and it really needs to be coupled with CD), it's easy to get surprise breaks
Multirepos:
- Every team will need to dabble in build and release engineering
- Changes across repos are slow and painful (I claim this is a feature because it makes you think about versioning and deployment)
- Library developers have to think more about versioning
- You'll probably need a binary repository like Artifactory
- More time and tooling needed to do library upgrades (especially interesting for security issues)
- Harder for people to switch teams