EnglishRecently, I came across Libraries.io and its companion service Dependency CI.
Libraries.io is an open source library catalogue that helps you find new libraries and keep track of the ones you already use in your projects. Once set up with a GitHub project, the service monitors the repository and notifies you in case there’s a new version of a dependency available.
Building upon this, Dependency CI is a continuous integration service that offers ‘automatic compliance testing for all of the dependencies in your application‘. It’ll warn you about problems like deprecated and unmaintained dependencies as well as licensing issues. Compliance testing for insecure dependencies, outdated dependencies and a high bus factor are currently listed as features soon to come.
Both services support most widely used dependency management tools such as Maven, npm and RubyGems.
Reliable dependency management is an essential tool in software development today. Dependency management allows us to create reproducible, stable software builds that behave predictably. However, as the recent npm / left-pad fiasco has proven, dependency management services themselves can cause stability issues. If dependency managements fails it often does so spectacularly leading to a worst case scenario of software not being compilable at all.
Hence, continuously improving the quality and dependability of this vital component of software engineering is a critical endeavour in improving the overall quality of software and software engineering. While they’re just two components of the larger picture that is stable dependency management, Libraries.io and Dependency CI address and alleviate important issues and are worth looking into.