A couple of weeks ago I was at the Manchester Gophers, giving them a sneak peek of my tutorial I'm doing on Friday at #GopherConUK, and I had a blast - was a great time with some great people, and always a fan of sharing more about #DependencyManagementData
Their post has some other great photos, but I think if you really want a convince to go and speak - if the great people isn't enough - you also get an amazing speaker gift - a custom made Gopher!
Looking forward to seeing folks, learning from some awesome people, and sharing some cool insights you can learn from your organisation with #DependencyManagementData π₯
How to use patch-package to modify NPM dependencies, for instance when you're distributing an executable and you want to patch something you rely upon, without relying upon postinstall scripts.
If you're using the Renovate datasource, the package_names may be different to what they were previously. This now makes them actual package names, rather than the "pretty" depName but it's likely to catch folks out π
@Marcus@k8s.social Huh, I hadn't noticed they too changed their license. We're going to need tools to help avoid projects not hosted by a foundation in our supply chains if this keeps up. Maybe some Rego rules in @www.jvt.me@www.jvt.me 's DMD :)
https://dmd.tanna.dev/
Announcing my first podcast appearance on Changelog and Friends, talking about salary history, the IndieWeb, ADHD and dependency-management-data, among other things.
Quantifying your reliance on #OSS by
@www.jvt.me@www.jvt.me
They started to create a dependency tree to determine whether they should take part in #hacktoberfest. But it's not always βοΈπ as in some cases all depends on a very fragile library ([xkcd comic#2347](https://xkcd.com/2347/))
Understanding how your business depends on software is important from a few points:
- how am I affected by migrating away from #OpenSource
- usage of unwanted libraries
- understand usage of libraries and their versions
- discover unmaintained, deprecated or vulnerable software
But all that applies to #InnerSource too!!
- how maintained are the dependencies?
- how are the security practices followed in the supply chain?
How can we do it? It can be done using #OpenSource with dependency-management-data https://dmd.tanna.dev/ with a CLI and web interface. It uses a #sqlite db, and provides a graphQL api too. And without vendor locking!
Dependabot API helped him to get some insights to know where contribute that were helpful to the company he was working. But it was not enough information. endoflife.date helped him to find what's soon to expire and other similar websites for other info. `dmd` helps in an easier way and it uses #renovate and other tools and services to get all the data for the model.
Then you can query the db with what you are interested. It comes with some pre-baked queries.
For #InnerSource you could define advisories and policies for when you don't have open APIs to query for that information. For example, flag when some software is using an old git server instance or set a set of code owners, or how many customer facing is using an outdated dependency.
Their [website has some case studies with more examples](https://dmd.tanna.dev/case-studies/).
#SOOCON24
I was pretty chuffed with adding these Slack notifications (via Goreleaser and go-semantic-release) for releases to #DependencyManagementData which flag when there are breaking changes in the release! Makes it much easier to see at a glance, especially as there's a lot of changes going into it π€
Why I think dependency scanning tooling should be providing as much data as possible about scanned projects, to allow other tooling to make better inferences about the data.
Attached: 1 image
TIL about https://endoflife.date from @www.jvt.me@www.jvt.me!
Part of a great talk about understanding your dependencies at TechMids.
For those who didn't make it to #DevOpsDays London, or who did and want to watch it again, my talk on dependency-management-data is now live on YouTube ππΌ
Jamie Tanna
.
#gopher-con-uk
#dependency-management-data.
