Know your dependencies

Over the past month or so, for no reason in particular, the security and sustainability of open-source software has been a frequent topic of conversation among colleagues. As developers, how do we make ourselves more aware of the code we rely on? And what do we do once we’re more aware of it?

For JavaScript projects, the internals of npm don’t always work in our favor. There are good things: We are forced to witness the whoosh of our dependency tree as we npm install, and the recent addition of npm audit is very welcome. But we tend to take for granted the fact that we build our projects on top of unvetted, constantly shifting code written by people we’ve never met.

As one small way to combat this, I wrote know-your-deps, a tiny npm package that randomly picks a dependency from your project and tells you about it. To use it, run this in the root of your repo:

npx know-your-deps

Chances are, it will spit out a package you’ve never heard of. Ask yourself: What is this thing? If you’re game, take the opportunity to visit the project’s homepage. Learn more about it. Try to connect the dots of why it’s a dependency of your project. How old is it? Is it being updated? Is this project thriving? Is it dying? Should it exist at all? Should you support it? How?

Then run it again!