Show HN: Dependency CI – Continuous testing for your dependencies
dependencyci.comThis is a very interesting service, thank you!
May I ask you for some little thing that might change the (development) world? Would you please like to introduce a folder, where people might put their dependency.yml file - this is an effort to finally stop the spreading cancer of "put one more config file into the project root".
I would like to suggest to call that folder simply "config" - all the projects and tools out there should have no problem with that. Optionally there could be one top level config file called "config.rc" - this file points to the actual config dir if it is not "config".
It would be verrry nice if one service just starts with that and hopefully all the others will follow and it will become a defacto standard. The pollution of the top level project directories really must stop.
Thank you!
I've thought of the same thing, but I feel that the horse has well and truly bolted, run back through the barn a few times, kicked some shelving over and then continued out the front and over the horizon at a brisk pace.
The ideal solution is a migration path; retain support for config in project root, but check a configuration directory first.
Workable. It'd be nice to clean up the global namespace a bit. Especially when it's a single-repo project.
I think you'll want to check the root first then config to avoid breaking existing projects, but I'm a big +1 on this idea.
Agreed, I'll definitely the ability to move your dependencyci.yml file into a .github folder like the issue and pull request templates: https://github.com/blog/2111-issue-and-pull-request-template...
beefsack is right, please do NOT make it a github specific thing. Just one config folder. All config files for services, integration, etc. should go there.
Thanks again!
Except this isn't GitHub specific.
How about .meta? Hopefully we can encourage github to support this, too. Maybe .meta/github/ could be a thing, too.
In the config.rc file you could call that folder however you want.
I personally do not like ".meta", because it is not clear what kind of information it may contain. "Meta" might be anything, documentation, description, website, design papers, everything is meta. It is a bit like using "Information" as a menu entry for a website.
It sounds like we should probably all get together and write a draft RFC for this. Choosing a good directory to toss everything into would be grand.
I'd prefer .well-known since there's already an RFC for it, but maybe .dev-extra would be more appropriate?
Do you really want to type either of those prefixes thousands of times? Brevity and lack of special chars in the name would be nice to have.
`.config` is probably a decent choice, as ~/.config for per-user settings seems to be gradually gaining adoption.
Or .well-known? (analogous to https://tools.ietf.org/html/rfc5785)
How about we put each individual config file in its own individual directory? We could name the directory after the file too, so that it is clear where each file is ;)
No but seriously, I don't think this mess of config files in the project root is really a big deal. I already grouped the interesting stuff under /src. If it is a big deal, then lets hash out an RFC that covers the general concept of "configuration" once and for all and be done with it.
What about /.bots or /.ci ? Those are specific to these types of services.
I’ve been working on Dependency CI along with https://libraries.io, the service that powers it, in my spare time for the past few months, it’s great to finally get it out into the real world.
Dependency CI works like Travis CI but for the dependencies of your application, checking them for license and status issues every time you push to GitHub.
I've written a up a post on medium with more details: https://medium.com/@teabass/introducing-dependency-ci-e859fa...
It’s 100% free for open source projects and there’s a 14 day free trial for checking private github repositories too.
Hey, Nimble creator here. Just wanted to ask, are there any reasons why it's not currently supported on Dependency CI? (apart from just lack of time on your side :))
Hey Dom, it's mostly because I've not written a parser for the .nimble manifest file, if you feel like adding it to https://github.com/librariesio/bibliothecary then it will be easy to add support for it!
Can you please support Deb packages as well? Thanks
I've known Andrew for a few years and what I love about this is how it reflects him as person: someone who loves bringing people together. Dependency CI seems to me to be a manifestation of that. Hopefully one effect of Dependency CI, if (when) it becomes popular is that it raises the bar for the stability of projects that other people depend on. We're all in this together. Keep up the great and inspiring work Andrew!
Similar to Greenkeeper or requires.io, but with a larger range of languages supported. Very interesting.
As a side note, I recommend creating a separate github account when granting permission to this kind of 3rd party. Don't grant them full read/write on your repos, create an account that's temporarily admin, then make that account read only.
The Debian project's Continuous Integration project [1] re-tests all dependent objects whenever a dependency within the Debian archive changes. This way, changes that might negatively affect dependents can be caught early.
This is immensely useful, especially to the maintainers of libraries.
In order for them to be tested, dependent objects have to declare their testability using the autopkgtest [2] interface.
[2] https://people.debian.org/~mpitt/autopkgtest/README.package-...
I was hoping that this would be a similar service, but it doesn't appear to be.
It appears to me that Dependency CI is focused on dependency metadata, focusing on the state/version/license/etc the dependency declares.
Debian's CI focuses on actual run-time testing, specifically what it calls "as-installed" testing (as opposed to build-time testing). You don't test a specific build result, but whatever is installed in $PATH, $LD_LIBRARY_PATH, and so on.
Because the tested objects also use the as-installed dependencies -- libraries, modules, etc. -- whenever one of the dependencies changes, the dependents can automatically be re-tested for compatibility.
Yeah, someone please write reverse-dependency-ci! :)
There are plenty of other services in this space (see below for a couple). I hadn't heard of Dependency CI and what immediately impresses me is the number of different package managers supported.
OP- Do you have a roadmap to supporting this outside of GitHub? I think the people that benefit most from it, due to corporate policies and outdated deps, are the people least likely to be using GitHub!
Everyone else - Is this a general problem with people locking these (very cool) tools to GitHub? Is there a generalised solution to the problem of source control integration?
its bad decision making. but to be fair dependency ci will add gitlab and bitbucket in the future. it still sucks that awesome tools like this are github first, git is a central tool and tools arround git should not depend on any hoster at all - imho
What alternative decision are you imagining? A service like this can’t depend on Git alone. It needs to know when the repo is updated (e.g. GitHub’s webhooks) and has to publish its results somewhere (e.g. GitHub’s commit statuses). So it only really works with hosted repos.
Since each hosting service has a different API, each integration needs to be built individually. And it makes sense to integrate with GitHub first because it’s the most popular repo host.
Maybe server-side git hooks would do the trick? Can we assume that any "decent" git server will be able to run a bash script? A service could instruct the user to download a couple scripts and put them in .git/hooks. Or just copy and paste a wget command from within the repo root.
> It needs to know when the repo is updated (e.g. GitHub’s webhooks)
post-receive hooks work well for this. I use them to push changes from my laptop up to my server and GitHub (which I use as a free mirror). My server uses a post-receive hook to regenerate a HTML view of the repo.
> has to publish its results somewhere (e.g. GitHub’s commit statuses)
Git has really good email integration.
It's the most popular repo host on HN for sure, but think about all the private repos behind corporate firewalls etc!
Some of which are Github Enterprise :p
FYI GitLab is considering integrating VersionEye in the interface
For JavaScript and Python developers, there is a newish service called Doppins (from Norway!) that I've really been enjoying for my open source projects: https://doppins.com/
No conf required other than your normal requirements.txt, sends you a PR whenever there are new versions available. Cracking stuff.
Having gotten to know Andrew a bit over the last few months, I can wholeheartedly say that he cares a lot about the open source community. DependencyCI and Libraries.io are labours of love and craftsmanship!
Great work on this, looks very useful. Does it only work with GitHub? Would love to have this for my private GitLab instance
Yep. Same for Bitbucket. Or just support all git repos that are accessible via the public internet.
Github's pricing model means that lots of people can't use it for private repos - 'per repo' pricing isn't fun if you prefer lots of small repos.
Github changed their pricing model to per user pricing with unlimited private repos:
Currently only supports GitHub but bitbucket and gitlab are on the todo list as well
FYI We're looking to integrate VersionEye into the GitLab interface.
Great idea! My company requires external libraries licenses to be revieved every half a year and it usually takes a couple of days to do so. Your project could be a real time-saver. Unfortunately the integration with Maven does not seem to work in most cases, if it did I would already have sent the link to our CTO.
You could use the VersionEye Maven Plugin for that: https://github.com/versioneye/versioneye_maven_plugin. It checks your dependencies against a license whitelist on the VersionEye server and if there is a violation it breaks your build on your CI server. That way you can enforce a license policy continuously. It's much better than just checking licenses once a year ;-)
I'm working on VersionEye since a couple years, it's a similar project and I open sourced it last week: https://blog.versioneye.com/2016/06/28/versioneye-goes-open-.... I'm following Andrews activities since a while and like what he did with libraries.io. Great job! As both projects have a big overlap and are open source now I'm open for collaboration :)
Pivotal Labs have a similar problem -- ensuring that only whitelisted licenses are represented in a codebase -- and developed License Finder for this kind of auditing: https://github.com/pivotal/LicenseFinder
We also use it for Cloud Foundry. It's fairly robust.
I work for Pivotal, but not on LF.
Isn't this the actually the wrong solution? I thought I was told I should be pulling my dependencies into my own cloned repos. Then my project uses my clones. When I want an update I test it out, update the cloned repo and update the project to use the latest tag/hash of my cloned repo. Isn't that what pretty much all the top projects do?
This way everything is under my control. What good is it if I'm told my dependencies has been deleted? And then I what? Copy my old dep from my dev machine to a cloned repo and point to that? Isn't that the same step as above?
Or maybe I just don't get it.
You're not wrong, but you can use that technique and benefit from Dependency CI too.
Typically, you can define your dependencies in a file specific to a certain package manager. NPM uses `package.json`, RubyGems uses `Gemfile`, etc.
It is a reasonable practice to "vendor in" your dependencies, as you suggest. But given the declaration of your dependencies in some manifest file, Dependency CI can give you valuable insights.
Many ways to skin a cat.
Cool concept! Is the spec for the dependency.yml file open source? Would be cool to see something like it become a standard: it's a concern for the project owner, but also for the project clients/users.
It's in the works, very little documentation at the moment: https://github.com/dependencyci/dotyaml
What would be really interesting is a service that would tell me the build status and code coverage metrics for each version of a dependency I use in my project (and each dependency they use their projects and so on).
Even more interesting would be something that would attempt to force code coverage analysis on projects that use a standard testing framework, have a certain amount of tests present, but don't have CC configured in their project.
At first I was thinking that is what this service did but it doesn't appear to be the case.
There's also a somewhat similar service a friend and myself evaluated a couple of months ago, we had similar ideas but we eventually let go of our prototype because of "fear" of said competition ...
DepdendencyCI already did better than us in that regard and it seems like they are doing an an all-around great job (I especially like the multi language support)! :)
Hattip to the team!
I added my project and the service claims it has 0 dependencies (Listed in the build.gradle file).
Bug?
Will investigate that for you shortly, I've only just added support for gradle, might be skipping some sections of file
Also having an "error" status or 0 dependencies with my gradle projects...
For python developers - why does not any CI out there support Conda - out of the box.. :(
Very interesting, but I can't seem to sign up for the trial to use on private repositories.
Great idea! Would love also MVP version of that which help you pick better dependencies.
Thats the authors other project libraries.io :)
This would be super useful for making sure left-pad is still functioning.
Would be cool if it could support Puppet modules.
Very proud of Andrew's tenacity and ability to offer a simple solution to a problem that strengthens the open source community rather than ruminating and/or grand standing about it.