Introducing insight into your dependencies' health in dependency-management-data

Featured image for sharing metadata for article

In the last couple of days I've been working on providing more metadata about dependencies into dependency-management-data, so you can make more intentional decisions around how you think about your dependency tree.

This came out of an interest in getting some insight into gauging how maintained dependencies are, as well as determining if there are gaps in managing supply chain security risks.

As part of the v0.76.0 release of dependency-management-data, it's now possible to get insight into:

  • Metadata around the repo that underpins the dependency, with information about the repo that the package is maintained at, such as the last push to the default branch by a contributor, and how recently any releases have been shipped, via the excellent
  • OpenSSF Security Scorecards data

With this, any dependencies that have a Maintained Scorecard score of 0, have an archived repo backing the package, or that are marked as deprecated in their package manager will now be marked as UNMAINTAINED advisories in dependency-management-data, making it easier to surface.

And you can now use that data in Policies, too, to codify your organisational risk policies, and flag cases where you aren't as comfortable with dependencies, i.e. "we don't want to use any dependencies that don't have signed releases".

I'm looking forward to improve the data that dependency health can surface, including sourcing which of your packages are looking for funding.

I'm also very appreciative of the work that Andrew Nesbitt has done on Ecosytems!

Written by Jamie Tanna's profile image Jamie Tanna on , and last updated on .

Content for this article is shared under the terms of the Creative Commons Attribution Non Commercial Share Alike 4.0 International, and code is shared under the Apache License 2.0.


This post was filed under articles.

Interactions with this post

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.