How to gauge open source package health: Tools and practices for picking the best package

Keenan Szulik (Tidelift)

4:50pm–5:40pm Wednesday, February 26, 2020

Location: Nassau

Business concerns, Key skills

Secondary topics: Best Practice

Average rating:

(3.00, 2 ratings)

Who is this presentation for?

Software developers, engineers, and CxOs, VPs, and directors

Level

Beginner

Description

The pressure on application development teams has never been higher. Organizations of all sizes and types depend on their development teams to build amazing products and digital experiences that keep users happy. And shifting road maps and requirements often leave developers scrambling to deliver with less time than they’d like. With pressure to move fast, there’s an accompanying need to automate today’s manual approaches to researching and selecting open source packages. When development teams don’t approach this vetting process comprehensively, they can get bogged down in wrangling dependency issues and open themselves and their organizations to license and security risks.

Keenan Szulik leads a deep dive into selecting the right open source package, which is not always a straightforward process. It can often be time consuming, tedious, and error prone. You’ll learn how to simplify, streamline, and strengthen the process through identification, or how to get visibility into essential information on millions of open source packages; resolution, or what to do when an issue with a dependency is discovered; and prevention, or developing a repeatable process for ongoing maintenance as your team and stack evolve.

The urgency around improving package vetting becomes clear when you stop to consider just how many open source packages go into a modern application. For instance, while Facebook maintains top-level React packages, the framework depends on over 1,000 discrete open source packages and libraries. That’s 1,000 potential attack vectors, 1,000 potential license issues, and 1,000 packages whose creators may move on to other things, leaving users literally holding the bag.

It turns out that roughly 20 percent of dependencies in boilerplate React, Angular, and Vue applications, for example, go unmaintained. And no less than 80 percent of maintained packages have no vulnerability disclosure policy, and therefore no mechanism to receive bug reports and address them.

Prerequisite knowledge

A basic understanding of open source

What you'll learn

Discover best practices for application development teams to use when selecting open source packages

Keenan Szulik

Tidelift

As a product manager at Tidelift, Keenan has he the opportunity to partner with both enterprise development teams depending on open source, as well as hundreds of independent open source maintainers. That marriage of experiences lends a unique understanding of the critical role that open source packages play in the modern software development lifecycle.

Prior to his role as a product manager, Keenan has worked as a data scientist (using many open source packages himself), for Tidelift, the Minnesota Twins, and Major League Baseball.