Interesting project, would be great if this supported more than just JS projects, I'd be very interested to see some of the dependencies that my current business relies upon.
I'm working with a pre-launch company that's building a tool to map companies' stacks (among other things). They've shared some of their research with me from and it's insane.
Large software companies have no idea what dependencies, libraries, or even languages are in their stacks. Companies are using multiple versions of the same library, replicated in a bunch of different repos. Different teams in he same company end up re-implementing solutions over and over, sometimes in a whole other framework than the team next to them because nobody knows what anyone else is using. Makes compliance a nightmare.
We have an open source project just for this: https://github.com/fossas/fossa-cli. It currently supports roughly 20+ build systems and languages, and pairs with our web service for license and vulnerability discovery.
You claim this is open-source, however I don't see an easy way to run this myself without relying on your infrastructure and signup up for an account there. Your "analyse locally" option requires an API key and is therefore very much misnamed.
Consider how many layers of dependencies are in use today, and you have no idea who the commenter is, what position he has in the business you assume he is 'running'.
I'd probably be best described as some combination of a technical manager and a businessman. I write some code but there's people I work with who are much better technologists than I am.
A few years back I wrote a cross platform make replacement due to issues with an existing recursive make solution not getting dependencies right due to issues with it creating the wrong DAG (http://lcgapp.cern.ch/project/architecture/recursive_make.pd...). The recursive solution was used in the first place because it was fast but it happened to be incorrect (interesting how stuff like Pipenv has really long lock times because it's prioritizing correctness). So I have an awareness of some of the difficulties in this space very directly. Before I did some projects with build systems and packaging there were a lot of things I didn't know I didn't know.
If they're running that business, they are either paying people who can tell them the dependencies (if not, those people are being paid too much), or they are responsible for the code themselves (small co. or early startup), and should already know, or with small effort be able to identify all the dependencies whenever necessary. Anything else would be irresponsible.
If they're not running that business and have enough access to the code to be able to use this service, they're probably a developer who again should be able to know about the dependencies.
Or perhaps they're in a different position, and only want to know about this for curiosity's sake - in which case, I guess this could be useful. But still, you should be able to ask about this in-house.
And as for the "layers" argument - if there are too many layers of dependencies to keep track of, something is very, very wrong with the technology you are using. (And yes, I do consider modern web tech completely insane.)
I currently am helping to run a kitchen at a restaurant in my spare time and I can tell you that nobody including myself can tell you where our onions are grown, but that they come from Costco
There are grocery stores which specialize in being able to tell the customer exactly where their produce comes from. They've been quite in vogue these past years. :)
>And as for the "layers" argument - if there are too many layers of dependencies to keep track of, something is very, very wrong with the technology you are using. (And yes, I do consider modern web tech completely insane.)
So you were basically being glib about the salaries, since you know a lot of us are in that position? What do you suggest we do?
When I list the dependency tree of our project at work I get ~5500 unique packages (many are different versions of the same ones). Does the fact that I don't know them by heart mean that I'm being paid too much?
No, if anything, I think anyone working in your field is not being paid enough for working with something as bonkers crazy. :)
But seriously, I haven't said that you have to be able to recite the dependencies when woken up at night, just that you should have an existing internal methods of keeping track of them and auditing them, and not relying on some comes-one-day-disappears-the-next web service.
I think this is why a lot of people vendor dependencies and keep mirrors of anything particularly mission critical that they depend on. I've been involved in situations where this has been done for closed source code too via escrow services to make sure of continuity of product even if the other business closes for whatever reason.
Consider something like PyPi and the way in which it will host Python packages. There's times with Python that you will not know what packages are dependencies until you actually download it (this you may notice is why Pipenv will take so long to create a lock file, it has to download a ton of packages, get our your network traffic tools and have a look sometime). So I'm fairly sure there are times where the reason you don't know the dependencies exactly is because they are in some form of being unknowable. Now you might argue that such systems should be re-implemented and as a generalized goal taken in isolation I would tend to agree (improving existing code including legacy systems is something we consult on in my company). But alas in existing systems you sometimes have to deal with non-ideal circumstances that were created with non-ideal package management tools (legacy python and c++ being prime examples of difficult areas to get 100% right).
I work on the opposite end from the web stack - firmware development - and even we have layers upon layers of dependencies that are problematic to track.
The point is not that the deps are problematic to track - that is to be expected with any larger project. The point is actually doing the tracking, and being aware when the deps change, new one gets added, etc., and being able to determine what it means for the business.
My initial impression of the product was that it was a way to see which packages you depend on are looking for support in terms of funding/support. On a non-technical level this would be really good information for us to know because it would really help us make better open source investments.
On a technical level we do the best we can to get to know all the package dependencies and the various other things that we have to be aware of such as security and license issues (we are aware that not everyone does this). But honestly even when you decide to take this seriously it is still hard. Because of transitive dependencies and long chains of dependencies in the libraries you use, it is hard to be able to have a high confidence that you know everything you depend on. Essentially this requires tooling of some form or another to have any chance. With our in-house code we know what our direct dependencies are and we usually can track down most of what we need fairly quickly because we control our build environments. However when we go consult for a clients who have large codebases that we have never seen before it takes a while to track everything down. Sometimes if people have customized build systems this can be really hard to do. We have our own static analysis tools to help with this too.
Even without all the online package management services it's still a hard problem, consider the case of the humble makefile (http://lcgapp.cern.ch/project/architecture/recursive_make.pd...) Add in dependencies on remote computers and this gets harder. Take for example Python with it's huge number of different ways of installing a package, we have some tooling to check things but it's probably not 100% accurate because of the various ways in which Python packaging is broken exacerbated by the various ways in which people have worked around these shortcomings in the past. Pipenv has helped with the lock files but not everything is using those. The power of good tools for package analysis is clear and we use whatever we can. I hope you will see that this is actually a hard problem in a business sense as it costs substantial amounts of time for a business to create tooling for these things and the customer is likely unable to assess the benefits of this directly. We have an obligation and a desire to bring value to our customers and this means we will sometimes have to prioritize a 100% coverage of package information less than other objectives if the client demands it (for example fixing mission critical bugs may be a higher priority). In an ideal world we would love to know every aspect of the stack that we run on but as time goes on the increasing complexity of the systems we use makes this harder.