How do you vet open source libraries?

Question

I try to minimise the impact of security vulnerabilities, but it just seems painstaking to look through a ton of code. Is there processes that people/companies follow that decrease the time taken to do this?

softwaredoug · Accepted Answer

- how recent was the last commit?- what is the license? (Avoiding copyleft headaches)- do the issues look cared for?- is there an issue asking &ldquo;is the project maintained any longer?&rdquo;- what business or person is behind the project? What is their motive for creating the project?- how much of an impact would it be if the project disappeared tomorrow? Could I maintain a fork or rebuild it? Is it core business functionality or a side thing?- do others at my company use it? Or do they have a different library/etc for solving the problem?

burntoutfire · Answer

I check if it's on a list of libraries that we're allowed to use in our bank (my employer). Then I learn that the list is a total mess, the people in charge of it have been purged in the latest round of cost-saving-inspired firings and apparently no one was assigned this responsibility after that. Then I just use whatever I want.

Raed667 · Answer

Just the basics: number of installs, activity of maintainers, the "feel" of their Github repository.I have never had the need (nor was I asked) to vet code in depth before adding a dependency.

tacostakohashi · Answer

Ideally you can use the libraries provided by your linux distribution / vendor, and they can do the heavy lifting and economies of scale can be taken advantage of.Even if you're not actually running your code on Debian / RHEL / whatever, using libraries that are distributed by those vendors where possible is a good start.

codegladiator · Answer

Fork the repo and keep an eye on the original repo commits/issues.

bananamansion · Answer

you can use https://snyk.io/advisor/