Tag dependency-management-data


Liked DVD (@dvdgc13@octodon.social)
Post details
Quantifying your reliance on #OSS by @www.jvt.me@www.jvt.me They started to create a dependency tree to determine whether they should take part in #hacktoberfest. But it's not always ☀️🌈 as in some cases all depends on a very fragile library ([xkcd comic#2347](https://xkcd.com/2347/)) Understanding how your business depends on software is important from a few points: - how am I affected by migrating away from #OpenSource - usage of unwanted libraries - understand usage of libraries and their versions - discover unmaintained, deprecated or vulnerable software But all that applies to #InnerSource too!! - how maintained are the dependencies? - how are the security practices followed in the supply chain? How can we do it? It can be done using #OpenSource with dependency-management-data https://dmd.tanna.dev/ with a CLI and web interface. It uses a #sqlite db, and provides a graphQL api too. And without vendor locking! Dependabot API helped him to get some insights to know where contribute that were helpful to the company he was working. But it was not enough information. endoflife.date helped him to find what's soon to expire and other similar websites for other info. `dmd` helps in an easier way and it uses #renovate and other tools and services to get all the data for the model. Then you can query the db with what you are interested. It comes with some pre-baked queries. For #InnerSource you could define advisories and policies for when you don't have open APIs to query for that information. For example, flag when some software is using an old git server instance or set a set of code owners, or how many customer facing is using an outdated dependency. Their [website has some case studies with more examples](https://dmd.tanna.dev/case-studies/). #SOOCON24