Open-source dependencies

Open-source frameworks and libraries are Legos of the app development work—ready-made pieces you can snap together with a package manager to save time, avoid reinventing the wheel, and tap into community-vetted code for critical elements like cryptography. The ecosystem has untapped so much potential and velocity, but just like stepping on a Lego brick in the night, mismanaging these dependencies can easily come with unexpected and surprisingly sharp pain.

For web applications, open-source dependencies come in three primary flavors:

You already know how to install and update dependencies, but what about scanning them for vulnerabilities and potential licensing risk? Unfortunately, the tooling ecosystem for scanning dependencies can feel very convoluted, leading many to passively rely on tools like Dependabot for GitHub or Dependency Scanning for GitLab.

As you develop a new app, start with some kind of lockfile (e.g., package-lock.json) to ensure consistent installations across development/staging/production environments and even multiple developers working asynchronously.

You and peers should meet the task of adding any new dependency with skepticism—do some cost-benefit analysis as to whether you could reasonably implement the same feature yourself. If not, evaluate each potential package for the strength of its community, whether it’s being actively maintained (particularly for security vulnerabilities), and whether it’s been a vector for attacks in the past.

Not all dependency management work should be manual. Open-source dependency management should also be looped into your CI/CD pipeline so you can instantly catch vulnerabilities from newly adopted packages as soon as possible. Make sure those build artifacts are also stored safely, as keeping an inventory of your dependencies and licenses over time can dramatically smooth your compliance work.

Finally, keep your dependencies updated regularly using update commands.