Choosing a project's dependencies is something we sometimes overlook, but it can have a very relevant impact. The following image illustrates the idea:
To facilitate this process, Google recently launched a new project, deps.dev. Its slogan summarizes its objective: Understand your dependencies. The tool supports programming languages such as JavaScript, Rust, Go, Python, and Java.
To show the advantages, imagine a scenario: a team is developing an API in Go and needs to choose a library to implement the Circuit Breaker pattern. After some research on the internet and the excellent website Awesome Go, they reduced the list to the following options:
Let's search each in deps.dev to start the comparison. These are the links to the analysis of the libs:
Some of the information presented stood out to me. For example, in the analysis of gobreaker
:
- The tool creates a score for the lib, using criteria such as security, license, and whether it is actively maintained:
- We can see how many dependencies the lib has and how many projects are using it, which can be a good sign of quality and trust from the community:
It is also possible to see if the lib has any security warnings. The mercari/go-circuitbreaker
lib presents a risk in this regard:
With this information, the team can make a safer decision as to which libs they can use in their project.
Another handy feature is that deps.dev has an API. With this API, it is possible to create a check in the project's Continuous Integration
service to verify if there are any security warnings related to dependencies or if there is a new version of an essential library.
deps.dev is a worthwhile project that can help teams choose and manage their project's dependencies.
Originally published at https://eltonminetto.dev on April 19, 2023