Do you review a dependency before adding it? Base it on what criteria? Discuss it with others, open a pull request or is it a total free-for-all where everything is allowed?
My question comes from a previous post and the need to adopt (or at least discuss) a strategy for how new dependencies are added securely and efficiently.
I found this AskJS reddit thread on the same subject, but not many responses unfortunately.
I am keen to hear of other experiences on this topic.
Context: Secure management of dependencies is one of the issues our package management tool bytesafe addresses. As such I would like to get a better understanding of the workflow and concerns of the community on this issue.
Top comments (4)
I add dependency all the time. I only check whether they have TypeScript definition, as it's a hassle writing definition and getting it accepted into DefinitelyTyped.
Thanks for sharing! Do you put any value in stats like weekly downloads or when the package was last updated? Or do you feel like you already know enough of the dependency already to trust it?
I have many "10 weekly downloads" dependencies, but I do consider update date and GitHub issues list. If the package is not being maintained and issues are piling up, I'm less likely to use it.
Or I would send pull requests for issues that affect me, and start publishing a fork if owner doesn't merge or otherwise fix the issues in 3 months. Example: npmjs.com/package/@yoursunny/mole-rpc - and NPM gets one more "10 weekly downloads" package, because I'm no longer using it myself.
Thanks again for elaborating. Considering the update date and GitHub issues list are great examples of making an informed and intentional decision on dependencies.