The founder of an open-source library discovery service launched a new project today that can continuously test open-source dependencies for potential vulnerabilities and other issues.
The project is Dependency CI, an open-source tool that integrates directly into a GitHub workflow just like other CI systems. It runs a set of configurable tests on any dependency that it detects in a codebase, and checks it for incorrect licenses and deprecated or unmaintained libraries that a developer’s code depends upon.
Andrew Nesbitt, founder of Libraries.io (an open-source library and framework discovery service that was created in March 2015) and creator of Dependency CI, said he has been working on it for months. He said that the reason behind Dependency CI is so developers have an easy way to review all of their dependencies, he wrote in a blog post.
Manually reviewing dependencies is so time-consuming that developers end up skipping over this step, and the lack of dependency reviews can lead to serious technical or potentially legal debt in their codebases, wrote Nesbitt.
Dependency CI is also built on top of Libraries.io, giving it access to metadata on more than 1.5 million open-source libraries. Nesbitt said Libraries.io is updated more than 200 times per day from every package manager, meaning it always has the latest information.
Using this project, developers can find out relevant security advisories for a whole dependency tree to avoid merging potentially insecure libraries. Additionally, Dependency CI can catch potentially insecure or unlicensed libraries before a developer even merges them, and it tests each dependency on every pull request.
Dependency CI can test a project after every commit for deprecated, unavailable, unmaintained and unlicensed dependencies. In the future, it will be able to test for insecure, bus factored, conflicting and outdated dependencies.
Dependency CI currently supports dependency checks from 21 package managers. Some examples include Julia, Maven, NPM, NuGet, PyPI and RubyGems. It’s free for open-source projects, and there is a 14-day free trial for checking private GitHub repositories.