How do you "vet" external libraries when adding them to a project? Best practices.

[emilyashley]

I've seen a few questions, issues, PR for review on vetting which external libraries to bring in? Not sure if this is the best place, but wanted to share what I generally look for when adding new dependencies while it is on my mind. I can check these out for you, esp if you post a list of all the ones you may be considering :)

There's no need to write all of our software from scratch, but we also want to balance convenience with the control we'll have over the maintainability of our software when we add external components

Things I look for:

• The Docs does it have readable documentation? feel free to link to the docs of new dependencies in the pull request adding them, others can scope it out and see if they have questions and if they would easily know how to use this
• Their Release Process does the repository have clear release and patch communication? Does it seem brittle or upredictable? ie will the dependency change underneath us without warning? Do you see a lot of "rollbacks?" If so, make sure to use appropriate syntax to pin it to a specific version dependency management file to minimize that risk. (if you add a dependency, see if you can help take stewardship over the dependabot PR's on that resource in the future, too!)
• Contributor Community Health does the repo have a good # of contributors? are open issues getting comments and resolutions? There's no right number, just check it out for red flags (i.e. 2 contributors that haven't responded in over a year might not be a reliable choice)
• The License make sure there's clear permission to use the software in the way we intend.

Bonus:

• Do they seem performant? are they bundled and loaded (or can they be bundled and loaded) in a way that doesn't significantly slow our system? If there's only one or two functions or features we need, see if they've provided a way to custom load just those. (this differs a lot across languages and libraries and may not be possible)
• Are there documented security issues? I'm not the best at security, any one got tips on this??

A thing I've done on teams before is created a pull request of the bare minimum code to add the dependency to a project and briefly listed the features I found useful from the library and how I might be using them. That way our asynchronous team had a place for discussion and group "vetting" of a library - each with different concerns (devops, security, performance, complexity etc). Dunno if that works here, but sharing what I know :)

What do y'all think? What do you look for??

[Tlazypanda]

@emilyashley Thanks a lot for the detailed explanation on what all to look out for! ❤️

[emilyashley]

Was just mentioning with @jywarren that we also bet @alaxalves has thoughts on this. Please chime in and share if you can :)

[emilyashley]

LOVE TO SEE THIS.
This is a really great example from @Tlazypanda and @cesswairimu vetting a library! SHOUT OUT! 🎉🙌

cesswairimu: @Tlazypanda great job finding the gem. I have a few concerns with it though...its seems that its not frequently updated(last updated 14 months ago), it is crucial we look at this as it could hinder our future updates..also @emilyashley guidelines on vetting libraries #8019 ...I am not discarding it just giving you smth to think about/ consider . Thanks

Tlazypanda: Hey @cesswairimu I totally understand your concerns over this 😅 and I actually did check it out against the vetting points by @emilyashley so the thing is that although this gem is not updated as frequently, the current implementation is something that won't need updates in the sense it is sufficient in itself. It is also the only implementation for lazy-loading in rails applications. And after doing a lot of searches, I could only find this tool being mentioned in blogs to speed up rails apps. The documentation is sufficient, there aren't any rollbacks in the commits as such and the license is MIT. Since, it is the only option available we might just have to go with it
#8043 (comment)

[alaxalves]

Was just mentioning with @jywarren that we also bet @alaxalves has thoughts on this. Please chime in and share if you can :)

Thanks @emilyashley I'll take take to give this some thought. :)

[stale]

Hi 😄, this issue has been automatically marked as stale because it has not had recent activity. Don't worry you can continue to work on this and ask @publiclab/reviewers to add "work in progress" label 🎉 . Otherwise, it will be closed if no further activity occurs in 5 days -- but you can always re-open it if you like! 💯 Thank you for your contributions 🙌 🎈.

[cesswairimu]

This is a great. It would be great to have it documented somewhere more accessible. Maybe on the website or the soc onboarding doc. What do think @jywarren @sagarpreet-chadha even @emilyashley if available