Settings

Theme

Ask HN: How do you vet open source libraries?

8 points by nothasan 5 years ago · 8 comments · 1 min read

I try to minimise the impact of security vulnerabilities, but it just seems painstaking to look through a ton of code. Is there processes that people/companies follow that decrease the time taken to do this?

softwaredoug 5 years ago

- how recent was the last commit?

- what is the license? (Avoiding copyleft headaches)

- do the issues look cared for?

- is there an issue asking “is the project maintained any longer?”

- what business or person is behind the project? What is their motive for creating the project?

- how much of an impact would it be if the project disappeared tomorrow? Could I maintain a fork or rebuild it? Is it core business functionality or a side thing?

- do others at my company use it? Or do they have a different library/etc for solving the problem?

  • Jugurtha 5 years ago

    The above plus who is maintaining the code ? Did they put an intern to manage issues and do they understand the issues ? Are pull requests quickly accepted or refuse ?

    For example, there's a library we rely on for our product where they put an intern in charge of issues and take 5 months to accept pull requests or fix the bug. This has lead us to develop plugins instead of contributing or maintaining a fork (not to deal with conflicts).

  • crazypython 5 years ago

    > - what is the license? (Avoiding copyleft headaches)

    If your app is server-side, GPL explicitly permits "private use" of GPL code without licensing anything to anyone, as long as you keep it private on your server.

burntoutfire 5 years ago

I check if it's on a list of libraries that we're allowed to use in our bank (my employer). Then I learn that the list is a total mess, the people in charge of it have been purged in the latest round of cost-saving-inspired firings and apparently no one was assigned this responsibility after that. Then I just use whatever I want.

Raed667 5 years ago

Just the basics: number of installs, activity of maintainers, the "feel" of their Github repository.

I have never had the need (nor was I asked) to vet code in depth before adding a dependency.

tacostakohashi 5 years ago

Ideally you can use the libraries provided by your linux distribution / vendor, and they can do the heavy lifting and economies of scale can be taken advantage of.

Even if you're not actually running your code on Debian / RHEL / whatever, using libraries that are distributed by those vendors where possible is a good start.

codegladiator 5 years ago

Fork the repo and keep an eye on the original repo commits/issues.

bananamansion 5 years ago

you can use https://snyk.io/advisor/

Keyboard Shortcuts

j
Next item
k
Previous item
o / Enter
Open selected item
?
Show this help
Esc
Close modal / clear selection