You can see the bundle size, minified, and you can also see the download time, and one important thing to check is the dependency. Over here, down there, you can see the composition. You can see the dependencies of the library. Here you can tell that ReactUk form has no dependency, and if you compare it, for example, to Formic, you can see that Formic depends on lodash ES and other libraries. Now, it doesn't mean that this one is better than another, but it means that it might introduce, for example, security vulnerabilities, if one of the dependency in the tree has security vulnerabilities, so it's better to have less dependencies.
Now, fun fact, if you take a look at the graph of the npm trends throughout the years, you can see there is always a drop over here at the beginning of the new year, which is really good, I think it means that the programmers are leaving the computer behind and are busy celebrating new year, and it's a great tip to take some time to relax, recharge and bring back some energy back.
So let's talk about another thing you need to check when you choose an open-source library. Different open-source library have different kinds of open-source license. You can scan this QR and it will take you to the website which specifies all the different licenses an open-source library can have. Now, pay attention that if you use a library with a certain kind of license, it might require you to share your own codebase. It might require you to publish your own code under the same license. It's really also an important thing to check before you're using or modifying code from open-source libraries.
Now, what about the maintainers of the open-source library? Should you trust them? The best advice is to choose a library that is maintained by several maintainers and not just one. You should also be a bit cautious when trusting engineers. Most of us are good people and don't want to harm you, but there are those who suddenly decide to maybe enter and publish infinite loops in their code or even delete the entire repository. So a cautionary tale. Back in January 2022, the maintainer of one of the most popular open-source libraries decided that he had enough of a company using his project without paying for it, large companies of course, not the individual, and he decided that he will publish a new version, called it the Komit Endgame, and gave it a number 666. You can guess by the version number that it probably contained something bad. So in this version everybody who installed the latest version got the entire repository of this library deleted. You can see that it has millions of weekly downloads, you can also see the license and everything, but it's really important to pay attention to what are the changes, especially in major version, that are introduced in the open source library that you choose. Now this maintainer wasn't a maintainer only of Faker, which is the library that company used to fake data, to generate fake data, it was also the maintainer of another open source library named Colors. Now you might think that, oh, it's ok, I don't use Colors, but maybe one of your dependencies in the tree uses this library. So what he did there is publish version, in which he inserted infinite loop that caused denial of service, and many people had this library in their dependency tree. So it caused a lot of trouble and it wasn't even a major version. So you really need to take it as a cautionary tale and remember, specify the exact version in your dependency, not just automatically take the latest version, wait a bit to hear for the community, how is the latest version, check the dependency if you have the time, and this is a really good lesson. And if you're afraid that somewhere in your nested dependency tree there might be a security vulnerability or something like that, you can also specify the range of version that you want to install and if you permit you can also specify a specific version you want to install by using either NPN overrides or if you're using yarn, yarn resolution. So those are my tips, what you need to pay attention to when selecting a library, and once you select don't automatically install the latest update. If you have any other tips, if you want to share how you select your own library to use, please share it with me, I will be happy to hear and I will also be happy to hear what is your favorite open source library.
Comments