Is It the One? (How to Select an Open-Source Library?)

Rate this content

As software developers, we often use open-source libraries. In this talk, I will share a few tips on selecting an open-source library and what to pay attention to when working with open-source libraries.

10 min
23 Oct, 2023

Video Summary and Transcription

This talk provides tips for selecting the right open-source library, such as using NPM trends to compare libraries and considering bundle size, dependencies, and licenses. It also emphasizes the importance of choosing libraries maintained by multiple maintainers and being cautious when trusting engineers. The talk highlights a cautionary tale about relying on a single maintainer and suggests paying attention to changes in major versions and specifying exact versions in dependencies to mitigate security vulnerabilities.

Available in Español

1. Introduction to Selecting Open Source Libraries

Short description:

In this talk, we will discuss how to select the right open-source library for your needs. We will start with an example of implementing forms in React and explore tips for choosing the best library. One tip is to use NPM trends to compare different libraries based on statistics like creation date, stars, last update, open bugs, and bundle size.

Hi, everyone, and welcome to the talk, Is It a One? Or, in other words, How to Select an Open Source Library? My name is Karen Kenzie. I'm a senior software engineer. I love to volunteer at different initiatives to help women in R&D in their professional growth. I volunteer as a co-manager of two programs. One is the Tech Blogging Workshop, and the other one is Codefest. I love sharing knowledge and I love to study new technologies and psychology.

And today we're going to talk about how to select open source library. I will give you tips to help you select the one that is right for you. And we will start with an example. So let's say, for example, we are front-end developers, we are using React, and we need to implement some sort of forms. Now, forms can get complicated, especially if they have different kind of input fields, if they have several steps. And we don't need to manage everything ourselves. There are great libraries out there that can help us do exactly that. So how do you choose the right one for you?

Tip number one, go to NPM trends. You can scan this QR, and it will redirect you to NPM trends. And what you will see there is a way to compare between different open-source library. For example, let's say that your colleague recommended using React form, which is currently the leading form management library. Then React Trends, once you click over here, the name, will recommend you similar libraries to compare it to. You can see here that Formic is in second place, and there are other libraries that you can compare.

Important thing to pay attention for. NPM will show you statistics, for example. It will show you when the library was created. It will show you how many stars the library has, when it was last updated. When you choose a library, you want to make sure you select an open-source library that is well-maintained, meaning it keeps maintaining, it doesn't, the last time it maintained was, for example, if we take a look at ReactUK form, it was recently maintained. You want to check also the number of open bugs, which appears over here. You can see ReactUK form, for example, has only 24 open bugs, which means it's really well maintained. And another thing to check is the bundle size. You can see here the minified size. If you click on the statistic, it will redirect you to another important website, which is BundlePhobia. This is the QR that will take you there, and if you take a look, for example, in BundlePhobia, on the bundle size of ReactUK form, you have different kinds of information displayed.

2. Considerations for Selecting Open-Source Libraries

Short description:

When selecting an open-source library, it's important to consider the bundle size, dependencies, and license. Having fewer dependencies can reduce the risk of security vulnerabilities. Additionally, it's advisable to choose a library maintained by multiple maintainers and to be cautious when trusting engineers. A cautionary tale highlights the potential risks of relying on a single maintainer. It's crucial to pay attention to changes, especially in major versions, and specify the exact version in your dependencies. Consider specifying a version range or using package manager features like NPM overrides or yarn resolution to mitigate security vulnerabilities. These tips can help you make informed decisions when selecting and using open-source libraries.

You can see the bundle size, minified, and you can also see the download time, and one important thing to check is the dependency. Over here, down there, you can see the composition. You can see the dependencies of the library. Here you can tell that ReactUk form has no dependency, and if you compare it, for example, to Formic, you can see that Formic depends on lodash ES and other libraries. Now, it doesn't mean that this one is better than another, but it means that it might introduce, for example, security vulnerabilities, if one of the dependency in the tree has security vulnerabilities, so it's better to have less dependencies.

Now, fun fact, if you take a look at the graph of the npm trends throughout the years, you can see there is always a drop over here at the beginning of the new year, which is really good, I think it means that the programmers are leaving the computer behind and are busy celebrating new year, and it's a great tip to take some time to relax, recharge and bring back some energy back.

So let's talk about another thing you need to check when you choose an open-source library. Different open-source library have different kinds of open-source license. You can scan this QR and it will take you to the website which specifies all the different licenses an open-source library can have. Now, pay attention that if you use a library with a certain kind of license, it might require you to share your own codebase. It might require you to publish your own code under the same license. It's really also an important thing to check before you're using or modifying code from open-source libraries.

Now, what about the maintainers of the open-source library? Should you trust them? The best advice is to choose a library that is maintained by several maintainers and not just one. You should also be a bit cautious when trusting engineers. Most of us are good people and don't want to harm you, but there are those who suddenly decide to maybe enter and publish infinite loops in their code or even delete the entire repository. So a cautionary tale. Back in January 2022, the maintainer of one of the most popular open-source libraries decided that he had enough of a company using his project without paying for it, large companies of course, not the individual, and he decided that he will publish a new version, called it the Komit Endgame, and gave it a number 666. You can guess by the version number that it probably contained something bad. So in this version everybody who installed the latest version got the entire repository of this library deleted. You can see that it has millions of weekly downloads, you can also see the license and everything, but it's really important to pay attention to what are the changes, especially in major version, that are introduced in the open source library that you choose. Now this maintainer wasn't a maintainer only of Faker, which is the library that company used to fake data, to generate fake data, it was also the maintainer of another open source library named Colors. Now you might think that, oh, it's ok, I don't use Colors, but maybe one of your dependencies in the tree uses this library. So what he did there is publish version, in which he inserted infinite loop that caused denial of service, and many people had this library in their dependency tree. So it caused a lot of trouble and it wasn't even a major version. So you really need to take it as a cautionary tale and remember, specify the exact version in your dependency, not just automatically take the latest version, wait a bit to hear for the community, how is the latest version, check the dependency if you have the time, and this is a really good lesson. And if you're afraid that somewhere in your nested dependency tree there might be a security vulnerability or something like that, you can also specify the range of version that you want to install and if you permit you can also specify a specific version you want to install by using either NPN overrides or if you're using yarn, yarn resolution. So those are my tips, what you need to pay attention to when selecting a library, and once you select don't automatically install the latest update. If you have any other tips, if you want to share how you select your own library to use, please share it with me, I will be happy to hear and I will also be happy to hear what is your favorite open source library.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

React Advanced Conference 2022React Advanced Conference 2022
16 min
How to Build Your Own Open Source Project
We all used open source projects every day such as npm packages, editors, web applications, and even operating systems... Have you ever thought of building one of your own? In this talk, I will share my journey building jest-preview, from when it was just a vague idea, to currently a well-adopted library to help frontend engineers write tests faster. I will share with you how to come up with an idea for a project to work on, what is the struggles you have to overcome as an author of an open source project, how to manage time efficiently, and how you get attention from engineers around the world.
TypeScript Congress 2022TypeScript Congress 2022
30 min
Lessons from Maintaining TypeScript Libraries
Maintaining widely-used JS libraries is already complicated, and TypeScript adds an additional set of challenges.

Join Redux maintainer Mark Erikson for a look at some of the unique problems TS library maintainers face, and how the Redux team has handled those problems. We'll cover:

- Tradeoffs of different ways to define TS types for a library
- How to target different versions of TS, and considerations for determining the supported version range
- Migrating existing JS libraries to TS
- Differences between writing "app" types and "library" types
- Managing and versioning public types APIs
- Tips and tricks used by types from the Redux libraries
- TS limitations and possible language-level improvements
Vue.js London 2023Vue.js London 2023
31 min
Nuxt 3 Modules and Open-Source
Nuxt modules are the de-facto way of extending our Nuxt applications with new behaviors and functionalities. Have you ever built your own? Why would you bother with hundreds of modules already out there? Let's answer those questions together and see why making your own modules in Nuxt 3 can both help you have a deeper understanding of how Nuxt works while also paving the way for you to get into open source!
React Day Berlin 2022React Day Berlin 2022
8 min
Making an Open Source Library Financially Sustainable
React Flow is an open source library used by thousands of developers and hundreds of companies. How do we make sure it stays alive, and also free? I’ll share some insights along our journey from open sourcing React Flow to passing the “black zero,” including findings from our user research where we spoke to some of the people who support us every month.
React Finland 2021React Finland 2021
18 min
The State of XState
Over the past few years, state machines, statecharts, and the actor model have proven to be viable concepts for building complex application logic in a clear, visual way with XState. In this talk, we'll take a peek into the future of XState, including new features in the next version, and new tools and services that will make it even easier to create and collaborate on state machines.
React Day Berlin 2023React Day Berlin 2023
31 min
Break the Race: Easy Race Condition Detection for React
Race conditions are among some of the most challenging to detect and reproduce issues. As such they pose a significant challenge in development notably in UI. In this talk, we explore how to detect race conditions by leveraging fuzzing techniques. We walk you through discovering the real problem of race conditions and how they impact user experience. We provide you tools and examples demonstrating how to easily detect them in your daily work thanks to tests relying on fuzzing. After that talk, we hope your React code will be race conditions free or at least that you will have the right tools to help you.

Workshops on related topic

Node Congress 2023Node Congress 2023
85 min
Node.js: Landing your first Open Source contribution & how the Node.js project works
This workshop aims to give you an introductory module on the general aspects of Open Source. Follow Claudio Wunder from the OpenJS Foundation to guide you on how the governance model of Node.js work, how high-level decisions are made, and how to land your very first contribution. At the end of the workshop, you'll have a general understanding of all the kinds of work that the Node.js project does (From Bug triage to deciding the Next-10 years of Node.js) and how you can be part of the bigger picture of the JavaScript ecosystem.

The following technologies and soft skills might be needed):
  - Basic understanding of Git & GitHub interface
  - Professional/Intermediate English knowledge for communication and for allowing you to contribute to the Node.js org (As all contributions require communication within GitHub Issues/PRs)
  - The workshop requires you to have a computer (Otherwise, it becomes difficult to collaborate, but tablets are also OK) with an IDE setup, and we recommend VS Code and we recommend the GitHub Pull Requests & Issues Extension for collaborating with Issues and Pull Requests straight from the IDE.

The following themes will be covered during the workshop:
- A recap of some of GitHub UI features, such as GitHub projects and GitHub Issues
- We will cover the basics of Open Source and go through Open Source Guide
- We will recap Markdown
- We will cover Open Source governance and how the Node.js project works and talk about the OpenJS Foundation
  - Including all the ways one might contribute to the Node.js project and how their contributions can be valued
- During this Workshop, we will cover Issues from the nodejs/ as most of them are entry-level and do not require C++ or deep technical knowledge of Node.js.
  - Having that said, we still recommend enthusiast attendees that want to challenge themselves to "Good First Issues" from the nodejs/node (core repository) if they wish.
  - We're going to allow each attendee to choose an issue or to sit together with other attendees and tackle issues together with Pair Programming through VS Code Live Share feature
    - We can also do Zoom breakrooms for people that want to collaborate together
  - Claudio will be there to give support to all attendees and, of course, answer any questions regarding Issues and technical challenges they might face
  - The technologies used within nodejs/ are React/JSX, Markdown, MDX and Gatsby. (No need any knowledge of Gatsby, as most of the issues are platform agnostic)
- By the end of the Workshop, we'll collect all (make a list) the contributors who successfully opened a Pull Request (even if it's a draft) and recognise their participation on Social media.