As software developers, we often use open-source libraries. In this talk, I will share a few tips on selecting an open-source library and what to pay attention to when working with open-source libraries.
Video Summary and Transcription
This talk provides tips for selecting the right open-source library, such as using NPM trends to compare libraries and considering bundle size, dependencies, and licenses. It also emphasizes the importance of choosing libraries maintained by multiple maintainers and being cautious when trusting engineers. The talk highlights a cautionary tale about relying on a single maintainer and suggests paying attention to changes in major versions and specifying exact versions in dependencies to mitigate security vulnerabilities.
Available in Español
1. Introduction to Selecting Open Source Libraries
Short description:
In this talk, we will discuss how to select the right open-source library for your needs. We will start with an example of implementing forms in React and explore tips for choosing the best library. One tip is to use NPM trends to compare different libraries based on statistics like creation date, stars, last update, open bugs, and bundle size.
Hi, everyone, and welcome to the talk, Is It a One? Or, in other words, How to Select an Open Source Library? My name is Karen Kenzie. I'm a senior software engineer. I love to volunteer at different initiatives to help women in R&D in their professional growth. I volunteer as a co-manager of two programs. One is the Tech Blogging Workshop, and the other one is Codefest. I love sharing knowledge and I love to study new technologies and psychology.
And today we're going to talk about how to select open source library. I will give you tips to help you select the one that is right for you. And we will start with an example. So let's say, for example, we are front-end developers, we are using React, and we need to implement some sort of forms. Now, forms can get complicated, especially if they have different kind of input fields, if they have several steps. And we don't need to manage everything ourselves. There are great libraries out there that can help us do exactly that. So how do you choose the right one for you?
Tip number one, go to NPM trends. You can scan this QR, and it will redirect you to NPM trends. And what you will see there is a way to compare between different open-source library. For example, let's say that your colleague recommended using React form, which is currently the leading form management library. Then React Trends, once you click over here, the name, will recommend you similar libraries to compare it to. You can see here that Formic is in second place, and there are other libraries that you can compare.
Important thing to pay attention for. NPM will show you statistics, for example. It will show you when the library was created. It will show you how many stars the library has, when it was last updated. When you choose a library, you want to make sure you select an open-source library that is well-maintained, meaning it keeps maintaining, it doesn't, the last time it maintained was, for example, if we take a look at ReactUK form, it was recently maintained. You want to check also the number of open bugs, which appears over here. You can see ReactUK form, for example, has only 24 open bugs, which means it's really well maintained. And another thing to check is the bundle size. You can see here the minified size. If you click on the statistic, it will redirect you to another important website, which is BundlePhobia. This is the QR that will take you there, and if you take a look, for example, in BundlePhobia, on the bundle size of ReactUK form, you have different kinds of information displayed.
2. Considerations for Selecting Open-Source Libraries
Short description:
When selecting an open-source library, it's important to consider the bundle size, dependencies, and license. Having fewer dependencies can reduce the risk of security vulnerabilities. Additionally, it's advisable to choose a library maintained by multiple maintainers and to be cautious when trusting engineers. A cautionary tale highlights the potential risks of relying on a single maintainer. It's crucial to pay attention to changes, especially in major versions, and specify the exact version in your dependencies. Consider specifying a version range or using package manager features like NPM overrides or yarn resolution to mitigate security vulnerabilities. These tips can help you make informed decisions when selecting and using open-source libraries.
You can see the bundle size, minified, and you can also see the download time, and one important thing to check is the dependency. Over here, down there, you can see the composition. You can see the dependencies of the library. Here you can tell that ReactUk form has no dependency, and if you compare it, for example, to Formic, you can see that Formic depends on lodash ES and other libraries. Now, it doesn't mean that this one is better than another, but it means that it might introduce, for example, security vulnerabilities, if one of the dependency in the tree has security vulnerabilities, so it's better to have less dependencies.
Now, fun fact, if you take a look at the graph of the npm trends throughout the years, you can see there is always a drop over here at the beginning of the new year, which is really good, I think it means that the programmers are leaving the computer behind and are busy celebrating new year, and it's a great tip to take some time to relax, recharge and bring back some energy back.
So let's talk about another thing you need to check when you choose an open-source library. Different open-source library have different kinds of open-source license. You can scan this QR and it will take you to the website which specifies all the different licenses an open-source library can have. Now, pay attention that if you use a library with a certain kind of license, it might require you to share your own codebase. It might require you to publish your own code under the same license. It's really also an important thing to check before you're using or modifying code from open-source libraries.
Now, what about the maintainers of the open-source library? Should you trust them? The best advice is to choose a library that is maintained by several maintainers and not just one. You should also be a bit cautious when trusting engineers. Most of us are good people and don't want to harm you, but there are those who suddenly decide to maybe enter and publish infinite loops in their code or even delete the entire repository. So a cautionary tale. Back in January 2022, the maintainer of one of the most popular open-source libraries decided that he had enough of a company using his project without paying for it, large companies of course, not the individual, and he decided that he will publish a new version, called it the Komit Endgame, and gave it a number 666. You can guess by the version number that it probably contained something bad. So in this version everybody who installed the latest version got the entire repository of this library deleted. You can see that it has millions of weekly downloads, you can also see the license and everything, but it's really important to pay attention to what are the changes, especially in major version, that are introduced in the open source library that you choose. Now this maintainer wasn't a maintainer only of Faker, which is the library that company used to fake data, to generate fake data, it was also the maintainer of another open source library named Colors. Now you might think that, oh, it's ok, I don't use Colors, but maybe one of your dependencies in the tree uses this library. So what he did there is publish version, in which he inserted infinite loop that caused denial of service, and many people had this library in their dependency tree. So it caused a lot of trouble and it wasn't even a major version. So you really need to take it as a cautionary tale and remember, specify the exact version in your dependency, not just automatically take the latest version, wait a bit to hear for the community, how is the latest version, check the dependency if you have the time, and this is a really good lesson. And if you're afraid that somewhere in your nested dependency tree there might be a security vulnerability or something like that, you can also specify the range of version that you want to install and if you permit you can also specify a specific version you want to install by using either NPN overrides or if you're using yarn, yarn resolution. So those are my tips, what you need to pay attention to when selecting a library, and once you select don't automatically install the latest update. If you have any other tips, if you want to share how you select your own library to use, please share it with me, I will be happy to hear and I will also be happy to hear what is your favorite open source library.
