Introducing Dependency CI
TL;DR: Today I’m launching a project to help make reviewing the dependencies of your software applications easy and encourage better compliance practices in your development workflows: https://dependencyci.com/
Software projects have a lot of open source dependencies nowadays and we as developers are in need of more tools to help us keep on top of all of those dependencies.
As a developer, you need ways of finding out if any libraries used are incorrectly licensed, marked as deprecated or unmaintained by their authors, or have potential security vulnerabilities.
It can be time consuming to manually review all of those dependencies so often developers don’t bother, which over time can lead to some serious technical and potentially legal debt in their code bases.
When the time comes to do due diligence or compliance checks you might find out that you’re heavily dependent on a library with a conflicting or missing license which could mean having to rework the code that depends on it.
Dependency CI integrates directly into your GitHub workflow just like a traditional CI system, running a set of configurable tests on any dependencies it detects in the code base. It checks for unlicensed, deprecated or unmaintained libraries that your code depends upon.
This works great with GitHub pull requests allowing you to find any potentially bad dependencies being added.
Dependency CI shows up right in the GitHub interface as you review pull requests, ensuring any issues are highlighted before you merge and ship the code to production.
It’s built on top of Libraries.io, which gives it access to metadata on over 1.5 million open source libraries. Libraries.io is updated over 200 times per day with the latest updates from every package manager which means it always has the latest information.
Dependency CI currently supports dependency checks from 21 popular package managers including NPM, Rubygems, Maven, CocoaPods, Packagist, Bower and NuGet.
I’ve been working on Dependency CI along with Libraries.io in my spare time for the past few months. It’s great to finally get it out into the real world and used by many popular open source projects.
It’s 100% free for open source projects and there’s a 14 day free trial for checking private github repositories too.
I want to build something that’s really useful to software developers everywhere, would love to hear your thoughts & suggestions, you can also email me: andrew@dependencyci.com
More discussion on Product Hunt: https://www.producthunt.com/tech/dependency-ci and Hacker News: https://news.ycombinator.com/item?id=12077645
