Introducing insight into your dependencies' health in dependency-management-data

In the last couple of days I've been working on providing more metadata about dependencies into dependency-management-data, so you can make more intentional decisions around how you think about your dependency tree.

This came out of an interest in getting some insight into gauging how maintained dependencies are, as well as determining if there are gaps in managing supply chain security risks.

As part of the v0.76.0 release of dependency-management-data, it's now possible to get insight into:

• Metadata around the repo that underpins the dependency, with information about the repo that the package is maintained at, such as the last push to the default branch by a contributor, and how recently any releases have been shipped, via the excellent Ecosyste.ms
• OpenSSF Security Scorecards data

With this, any dependencies that have a Maintained Scorecard score of 0, have an archived repo backing the package, or that are marked as deprecated in their package manager will now be marked as UNMAINTAINED advisories in dependency-management-data, making it easier to surface.

And you can now use that data in Policies, too, to codify your organisational risk policies, and flag cases where you aren't as comfortable with dependencies, i.e. "we don't want to use any dependencies that don't have signed releases".

I'm looking forward to improve the data that dependency health can surface, including sourcing which of your packages are looking for funding.

I'm also very appreciative of the work that Andrew Nesbitt has done on Ecosytems!