Package Reputation Tracking
Our team is working on tools to help developers answer these questions. In an ideal world, a member of your team would review every line of code from each of your dependencies to make sure it is safe. Performing that review for each (package, version) tuple of every one of your dependencies would be a massive undertaking, and not feasible for most teams. It is also likely that popular packages like React receive much more attention and need not be treated within the same scrutiny as less widely-used packages. We started tackling these problems by building processes into our CI/CD pipeline that gather signals on each of our dependencies - how often they’re downloaded, updated, forked, and so on - and looking for suspect code changes. This has already helped us steer our developers away from unmaintained libraries and introducing duplicated functionality. We are now working to take these ideas further as an open source project that streamlines the process of monitoring of your organization’s dependencies, maintaining white and blacklists, and reviewing changes between dependency versions - and to bring that functionality to the community.