Properly patching packages: persistently producing patches for published projects, particularly practically prevented by patch-package policy (10 mins read).
How to use patch-package to modify NPM dependencies, for instance when you're distributing an executable and you want to patch something you rely upon, without relying upon postinstall scripts.
by 
Jamie Tanna
.
#blogumentation
#nodejs
#npm
#dependency-management-data.
Off the back of the tj-actions/changed-files #SupplyChainSecurity attack, I've written up how you can use #DependencyManagementData to determine the impact across your org - already found it's been very useful π
by Jamie Tanna
.
#supply-chain-security
#dependency-management-data.
Finally put the finishing touches to my rewrite of the renovate-graph docs which I started on Monday at #BatchBunch
by Jamie Tanna
.
#documentation
#dependency-management-data
#batch-bunch.
Celebrating dependency-management-data's second birthday (7 mins read).
Reflecting on the last year of the project.
FYI that #DependencyManagementData v0.114.0 is out with an important refactor, but is one to watch out for!
If you're using the Renovate datasource, the package_names may be different to what they were previously. This now makes them actual package names, rather than the "pretty" depName but it's likely to catch folks out π
You can now resolve remote presets when using Renovate's local platform in renovate-graph (2 mins read).
Announcing a new release of renovate-graph, which can now follow github> and local> presets.
Creating renovate-packagedata-diff to diff Renovate package data dumps (3 mins read).
Announcing the release of renovate-packagedata-diff which makes it possible to provide a semantic diff between different Renovate package data dumps.
Lessons learned adding OpenTelemetry to a (Cobra) command-line Go tool (10 mins read).
Some reflections on what I've found good and not so good about instrumenting a command-line tool with OpenTelemetry.
by Jamie Tanna
.
#blogumentation
#go
#command-line
#opentelemetry
#dependency-management-data.
Summarising the skipReasons for Renovate data exports (2 mins read).
How to work out what skipReasons you have for your Renovate package data.
by Jamie Tanna
.
#blogumentation
#renovate
#dependency-management-data.
Why yes, #DependencyManagementData now has stickers π
How to use Dependency Management Data to discover which dependencies are participating in Hacktoberfest (3 mins read).
Detailing how you could use dependency-management-data to gain insight into which dependencies you use are participating in Hacktoberfest.
by Jamie Tanna
.
#open-source
#hacktoberfest
#dependency-management-data.
You can now parse repo-level Renovate configuration with renovate-graph (2 mins read).
Announcing a new release of renovate-graph which now parses repo-level Renovate configuration.
Dependency Management Data's Open Policy Agent support is now a whole lot more efficient (2 mins read).
Talking about the latest release of Dependency Management Data and some refactoring that's led to better performance.
by Jamie Tanna
.
#dependency-management-data
#open-policy-agent.
Dependency Management Data's now on Mastodon! (1 mins read).
Announcing the dependency-management-data Mastodon account for automated release announcements (and more?).
Dynamically querying EndOfLife.date data for internal packages with Open Policy Agent and Dependency Management Data (3 mins read).
How you can retrieve End-of-Life data via EndOfLife.date using Dependency Management Data's Policies functionality.
by Jamie Tanna
.
#dependency-management-data
#blogumentation
#open-policy-agent.
Dependency Management Data is now a lot easier to work with when using Software Bill of Materials (3 mins read).
Announcing an improved model for interacting with SBOMs, removing the need to understand the Repo Key up-front.
Dependency Management Data can now use sql-studio for database browsing (1 mins read).
Announcing the availability of the sql-studio database browser for dependency-management-data's web application.
Dependency Management Data's web application can now be deployed as a single static binary (2 mins read).
Announcing dependency-management-data's embedded SQL browser interface.
What can we learn about the backdooring of xz/liblzma, using OpenSSF Security Scorecards and dependency-management-data? (6 mins read).
Looking at how the recent CVE-2024-3094 vulnerability could provide insight into other cases of risk in dependencies and their lack of code review.
by Jamie Tanna
.
#dependency-management-data
#security
#open-source.
@Marcus@k8s.social Huh, I hadn't noticed they too changed their license. We're going to need tools to help avoid projects not hosted by a foundation in our supply chains if this keeps up. Maybe some Rego rules in @www.jvt.me@www.jvt.me 's DMD :) https://dmd.tanna.dev/
I'm on Changelog and Friends! (2 mins read).
Announcing my first podcast appearance on Changelog and Friends, talking about salary history, the IndieWeb, ADHD and dependency-management-data, among other things.
by Jamie Tanna
.
#podcast
#adhd
#salary
#indieweb
#public-speaking
#dependency-management-data.
Very excited to see that the videos from #StateOfOpenCon #SOOCon24 are up - so if you missed my talk Quantifying Your Reliance on Open Source Software with #DependencyManagementData, you can find the recording on YouTube.
If you're interested, also check out the slides and the full talk writeup.
by Jamie Tanna
.
#state-of-open-con
#soocon24
#dependency-management-data.
Quantifying your reliance on #OSS by @www.jvt.me@www.jvt.me They started to create a dependency tree to determine whether they should take part in #hacktoberfest. But it's not always βοΈπ as in some cases all depends on a very fragile library ([xkcd comic#2347](https://xkcd.com/2347/)) Understanding how your business depends on software is important from a few points: - how am I affected by migrating away from #OpenSource - usage of unwanted libraries - understand usage of libraries and their versions - discover unmaintained, deprecated or vulnerable software But all that applies to #InnerSource too!! - how maintained are the dependencies? - how are the security practices followed in the supply chain? How can we do it? It can be done using #OpenSource with dependency-management-data https://dmd.tanna.dev/ with a CLI and web interface. It uses a #sqlite db, and provides a graphQL api too. And without vendor locking! Dependabot API helped him to get some insights to know where contribute that were helpful to the company he was working. But it was not enough information. endoflife.date helped him to find what's soon to expire and other similar websites for other info. `dmd` helps in an easier way and it uses #renovate and other tools and services to get all the data for the model. Then you can query the db with what you are interested. It comes with some pre-baked queries. For #InnerSource you could define advisories and policies for when you don't have open APIs to query for that information. For example, flag when some software is using an old git server instance or set a set of code owners, or how many customer facing is using an outdated dependency. Their [website has some case studies with more examples](https://dmd.tanna.dev/case-studies/). #SOOCON24
by Jamie Tanna
.
#public-speaking
#dependency-management-data.
Attached: 1 image Hey! Look who it is! @www.jvt.me@www.jvt.me talking about dependence management at #soocon24 https://dmd.tanna.dev/
by Jamie Tanna
.
#dependency-management-data
#soocon24
#public-speaking.
Quantifying your reliance on Open Source software (State of Open Con version) (20 mins read).
A writeup of my talk about the dependency-management-data project at the State of Open Con 2024 conference.
by Jamie Tanna
.
#dependency-management-data
#public-speaking
#state-of-open-con
#soocon24
#open-source
#free-software
#sbom.
Why yes, yes I am wearing a custom #DependencyManagementData t-shirt to #StateOfOpenCon #SOOCon24 π€ big thanks to Carol Gilabert for making it π
by Jamie Tanna
.
#dependency-management-data
#state-of-open-con
#soocon24.
Celebrating dependency-management-data's first birthday (6 mins read).
Reflecting on the last year of the project.
Introducing insight into your dependencies' health in dependency-management-data (2 mins read).
How you can use the new dependency health functionality to better understand your dependencies.
dependency-management-data now has a logo! (1 mins read).
Very excited to note that the project now has a logo.
I was pretty chuffed with adding these Slack notifications (via Goreleaser and go-semantic-release) for releases to #DependencyManagementData which flag when there are breaking changes in the release! Makes it much easier to see at a glance, especially as there's a lot of changes going into it π€
If you've been hearing me talking about #DependencyManagementData and are wondering about some real world scenarios it's been useful, check out the new Case Studies section on the site π
Also looking for more examples of where it's been useful!
Using renovate-to-sbom with the GitHub Dependency Submission API (4 mins read).
How to improve the data in GitHub's Dependency Graph by using an SBOM produced by Renovate data.
by Jamie Tanna
.
#dependency-management-data
#renovate
#sbom
#github.
Been a big week for documentation with #DependencyManagementData - I've added significant docs to the database schema and GraphQL schema and have started a "Understanding the data model" cookbook
If you're running dependency-management-data, you'll now have an indication of which of Mitchell Hashimoto's (now unmaintained) libraries are affecting you now that this change has landed in the -contrib project - thanks Mitchell for the hard work on them, and I'll be sure to keep the list updated as maintainers pick up ownership of other libraries!
You can now interact with dependency-management-data using GraphQL (2 mins read).
Announcing the release of the GraphQL API for dependency-management-data.
You can now use Open Policy Agent with dependency-management-data (2 mins read).
How to use Open Policy Agent to perform much more effective flagging of package compliance with dependency-management-data.
by Jamie Tanna
.
#dependency-management-data
#open-policy-agent.
Using dependency-management-data with npm's SPDX and CycloneDX SBOM export functionality (1 mins read).
How to get started with npm's SBOM export functionality with dependency-management-data.
Introducing renovate-to-sbom to convert Renovate data to Software Bill of Materials (SBOMs) (1 mins read).
Creating a new command-line tool for converting Renovate data exports to Software Bill of Materials (SBOMs).
by Jamie Tanna
.
#dependency-management-data
#renovate
#sbom.
dependency-management-data now supports OSS Review Toolkit (ORT) (1 mins read).
How to use data from OSS Review Toolkit (ORT) with dependency-management-data.
Plea to Software Composition Analysis (SCA) providers and Software Bill of Materials (SBOMs) producers: give us more data! (2 mins read).
Why I think dependency scanning tooling should be providing as much data as possible about scanned projects, to allow other tooling to make better inferences about the data.
by Jamie Tanna
.
#sbom
#dependency-management-data
#persuasive.
New cookbook on the #DependencyManagementData documentation site: Getting Started with SBOM data
Attached: 1 image TIL about https://endoflife.date from @www.jvt.me@www.jvt.me! Part of a great talk about understanding your dependencies at TechMids.
by Jamie Tanna
.
#dependency-management-data
#public-speaking.
Utilising Renovate's local platform to make renovate-graph more efficient (2 mins read).
How using the local platform with renovate-graph can increase the performance of dependency extraction.
by Jamie Tanna
.
#blogumentation
#renovate
#dependency-management-data.
Using dependency-management-data with GitLab's Pipeline-specific CycloneDX SBOM exports (1 mins read).
How to take advantage of SBOM export functionality in GitLab 16.4 with dependency-management-data.
For those who didn't make it to #DevOpsDays London, or who did and want to watch it again, my talk on dependency-management-data is now live on YouTube ππΌ
dependency-management-data now supports Software Bill of Materials (SBOMs) and has better Dependabot support (2 mins read).
Announcing improved support for Dependabot and support for Software Bill of Materials (SBOMs).
Very excited to be speaking at #TechMids2023 on October 20th about Quantifying your reliance on Open Source software, where we'll look at how you can get a better view of your organisation's Open Source and internal dependency usage using dependency-management-data π
by Jamie Tanna
.
#public-speaking
#dependency-management-data
#tech-mids2023.
Custom Advisories: the unsung hero of dependency-management-data (3 mins read).
How to use custom advisories with dependency-management-data to track packages that your organisation may not want to use.
Getting started with Dependency Management Data (4 mins read).
How you can get started using Dependency Management Data in 3 commands.
Quantifying your reliance on Open Source software (24 mins read).
A writeup of my talk at DevOpsNotts, about the dependency-management-data project and how to use it to understand your internal and external dependencies.
by Jamie Tanna
.
#dependency-management-data
#public-speaking
#devops-notts
#open-source
#free-software.
You're currently viewing page 1 of 2, of 57 posts.