DEV Community

Elton Minetto
Elton Minetto

Posted on

Choosing dependencies using deps.dev

Choosing a project's dependencies is something we sometimes overlook, but it can have a very relevant impact. The following image illustrates the idea:

dependencies

To facilitate this process, Google recently launched a new project, deps.dev. Its slogan summarizes its objective: Understand your dependencies. The tool supports programming languages such as JavaScript, Rust, Go, Python, and Java.

To show the advantages, imagine a scenario: a team is developing an API in Go and needs to choose a library to implement the Circuit Breaker pattern. After some research on the internet and the excellent website Awesome Go, they reduced the list to the following options:

Let's search each in deps.dev to start the comparison. These are the links to the analysis of the libs:

Some of the information presented stood out to me. For example, in the analysis of gobreaker:

  • The tool creates a score for the lib, using criteria such as security, license, and whether it is actively maintained:

dependencies_score

  • We can see how many dependencies the lib has and how many projects are using it, which can be a good sign of quality and trust from the community:

dependencies_dependents

It is also possible to see if the lib has any security warnings. The mercari/go-circuitbreaker lib presents a risk in this regard:

dependencies_security

With this information, the team can make a safer decision as to which libs they can use in their project.

Another handy feature is that deps.dev has an API. With this API, it is possible to create a check in the project's Continuous Integration service to verify if there are any security warnings related to dependencies or if there is a new version of an essential library.

deps.dev is a worthwhile project that can help teams choose and manage their project's dependencies.

Originally published at https://eltonminetto.dev on April 19, 2023

Top comments (0)