Is It the One? (How to Select an Open-Source Library?)

Rate this content
Bookmark

As software developers, we often use open-source libraries. In this talk, I will share a few tips on selecting an open-source library and what to pay attention to when working with open-source libraries.

This talk has been presented at React Advanced 2023, check out the latest edition of this React Conference.

Watch video on a separate page

FAQ

NPM trends allow you to compare different open-source libraries by providing statistics such as creation date, star count, and last update. It helps you identify well-maintained libraries and compare their popularity and usage over time.

A library's dependencies can introduce security vulnerabilities if any dependency in the tree has issues. Fewer dependencies generally mean less risk. Reviewing dependencies helps ensure the library's security and stability.

Different open-source licenses have different requirements. Some may require you to share your own codebase or publish it under the same license. It's important to review the license to ensure compliance with your project's needs.

Choosing a library maintained by multiple maintainers reduces the risk of sudden disruptions. It ensures that if one maintainer leaves or makes a harmful change, others can continue supporting the library.

Automatically installing the latest version of a library can introduce unexpected issues or breaking changes. It's advisable to specify exact versions or wait for community feedback to ensure stability and compatibility.

In January 2022, the maintainer of the Faker and Colors libraries published harmful updates that caused significant disruptions. This incident highlights the importance of specifying exact versions and reviewing changes before updating libraries.

To handle potential security vulnerabilities in nested dependencies, specify the range of versions you want to install and, if permitted, use NPN overrides or yarn resolution to control which library versions are used in your project.

To select an open-source library, consider the following tips: check NPM trends for library comparisons, review statistics such as the library's creation date, star count, and last update. Ensure the library is well-maintained by checking the number of open bugs and bundle size using BundlePhobia. Pay attention to dependencies and open-source licenses, and consider the maintainers and version changes.

Reviewing a library's maintenance status ensures that the library is actively maintained and updated, reducing the risk of bugs and security vulnerabilities. A well-maintained library will have fewer open bugs and recent updates, indicating ongoing support.

BundlePhobia is a tool that provides information on a library's bundle size, minified size, download time, and dependencies. It helps you evaluate how a library will impact your project's performance and security by highlighting its size and dependency tree.

Keren Kenzi
Keren Kenzi
10 min
23 Oct, 2023

Comments

Sign in or register to post your comment.
Video Summary and Transcription
This talk provides tips for selecting the right open-source library, such as using NPM trends to compare libraries and considering bundle size, dependencies, and licenses. It also emphasizes the importance of choosing libraries maintained by multiple maintainers and being cautious when trusting engineers. The talk highlights a cautionary tale about relying on a single maintainer and suggests paying attention to changes in major versions and specifying exact versions in dependencies to mitigate security vulnerabilities.

1. Introduction to Selecting Open Source Libraries

Short description:

In this talk, we will discuss how to select the right open-source library for your needs. We will start with an example of implementing forms in React and explore tips for choosing the best library. One tip is to use NPM trends to compare different libraries based on statistics like creation date, stars, last update, open bugs, and bundle size.

Hi, everyone, and welcome to the talk, Is It a One? Or, in other words, How to Select an Open Source Library? My name is Karen Kenzie. I'm a senior software engineer. I love to volunteer at different initiatives to help women in R&D in their professional growth. I volunteer as a co-manager of two programs. One is the Tech Blogging Workshop, and the other one is Codefest. I love sharing knowledge and I love to study new technologies and psychology.

And today we're going to talk about how to select open source library. I will give you tips to help you select the one that is right for you. And we will start with an example. So let's say, for example, we are front-end developers, we are using React, and we need to implement some sort of forms. Now, forms can get complicated, especially if they have different kind of input fields, if they have several steps. And we don't need to manage everything ourselves. There are great libraries out there that can help us do exactly that. So how do you choose the right one for you?

Tip number one, go to NPM trends. You can scan this QR, and it will redirect you to NPM trends. And what you will see there is a way to compare between different open-source library. For example, let's say that your colleague recommended using React form, which is currently the leading form management library. Then React Trends, once you click over here, the name, will recommend you similar libraries to compare it to. You can see here that Formic is in second place, and there are other libraries that you can compare.

Important thing to pay attention for. NPM will show you statistics, for example. It will show you when the library was created. It will show you how many stars the library has, when it was last updated. When you choose a library, you want to make sure you select an open-source library that is well-maintained, meaning it keeps maintaining, it doesn't, the last time it maintained was, for example, if we take a look at ReactUK form, it was recently maintained. You want to check also the number of open bugs, which appears over here. You can see ReactUK form, for example, has only 24 open bugs, which means it's really well maintained. And another thing to check is the bundle size. You can see here the minified size. If you click on the statistic, it will redirect you to another important website, which is BundlePhobia. This is the QR that will take you there, and if you take a look, for example, in BundlePhobia, on the bundle size of ReactUK form, you have different kinds of information displayed.

2. Considerations for Selecting Open-Source Libraries

Short description:

When selecting an open-source library, it's important to consider the bundle size, dependencies, and license. Having fewer dependencies can reduce the risk of security vulnerabilities. Additionally, it's advisable to choose a library maintained by multiple maintainers and to be cautious when trusting engineers. A cautionary tale highlights the potential risks of relying on a single maintainer. It's crucial to pay attention to changes, especially in major versions, and specify the exact version in your dependencies. Consider specifying a version range or using package manager features like NPM overrides or yarn resolution to mitigate security vulnerabilities. These tips can help you make informed decisions when selecting and using open-source libraries.

You can see the bundle size, minified, and you can also see the download time, and one important thing to check is the dependency. Over here, down there, you can see the composition. You can see the dependencies of the library. Here you can tell that ReactUk form has no dependency, and if you compare it, for example, to Formic, you can see that Formic depends on lodash ES and other libraries. Now, it doesn't mean that this one is better than another, but it means that it might introduce, for example, security vulnerabilities, if one of the dependency in the tree has security vulnerabilities, so it's better to have less dependencies.

Now, fun fact, if you take a look at the graph of the npm trends throughout the years, you can see there is always a drop over here at the beginning of the new year, which is really good, I think it means that the programmers are leaving the computer behind and are busy celebrating new year, and it's a great tip to take some time to relax, recharge and bring back some energy back.

So let's talk about another thing you need to check when you choose an open-source library. Different open-source library have different kinds of open-source license. You can scan this QR and it will take you to the website which specifies all the different licenses an open-source library can have. Now, pay attention that if you use a library with a certain kind of license, it might require you to share your own codebase. It might require you to publish your own code under the same license. It's really also an important thing to check before you're using or modifying code from open-source libraries.

Now, what about the maintainers of the open-source library? Should you trust them? The best advice is to choose a library that is maintained by several maintainers and not just one. You should also be a bit cautious when trusting engineers. Most of us are good people and don't want to harm you, but there are those who suddenly decide to maybe enter and publish infinite loops in their code or even delete the entire repository. So a cautionary tale. Back in January 2022, the maintainer of one of the most popular open-source libraries decided that he had enough of a company using his project without paying for it, large companies of course, not the individual, and he decided that he will publish a new version, called it the Komit Endgame, and gave it a number 666. You can guess by the version number that it probably contained something bad. So in this version everybody who installed the latest version got the entire repository of this library deleted. You can see that it has millions of weekly downloads, you can also see the license and everything, but it's really important to pay attention to what are the changes, especially in major version, that are introduced in the open source library that you choose. Now this maintainer wasn't a maintainer only of Faker, which is the library that company used to fake data, to generate fake data, it was also the maintainer of another open source library named Colors. Now you might think that, oh, it's ok, I don't use Colors, but maybe one of your dependencies in the tree uses this library. So what he did there is publish version, in which he inserted infinite loop that caused denial of service, and many people had this library in their dependency tree. So it caused a lot of trouble and it wasn't even a major version. So you really need to take it as a cautionary tale and remember, specify the exact version in your dependency, not just automatically take the latest version, wait a bit to hear for the community, how is the latest version, check the dependency if you have the time, and this is a really good lesson. And if you're afraid that somewhere in your nested dependency tree there might be a security vulnerability or something like that, you can also specify the range of version that you want to install and if you permit you can also specify a specific version you want to install by using either NPN overrides or if you're using yarn, yarn resolution. So those are my tips, what you need to pay attention to when selecting a library, and once you select don't automatically install the latest update. If you have any other tips, if you want to share how you select your own library to use, please share it with me, I will be happy to hear and I will also be happy to hear what is your favorite open source library.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

How to Build Your Own Open Source Project
React Advanced 2022React Advanced 2022
16 min
How to Build Your Own Open Source Project
Hello my friend, in this talk, I wanna share with you how to build your own open source project. Building an open source software project can be challenging. I receive a lot of things randomly in a day, like thank you messages for making my life easier, which motivates me. To choose an open source project to work on, pick one you use every day. Your software is being used when people report issues and send pull requests.
Lessons from Maintaining TypeScript Libraries
TypeScript Congress 2022TypeScript Congress 2022
30 min
Lessons from Maintaining TypeScript Libraries
Top Content
Mark Erickson, a Senior Frontend Engineer at Replay, discusses JavaScript libraries and their support for TypeScript, including migration, versioning, and debugging. He also explores the challenges of supporting multiple TypeScript versions and designing APIs for use with TypeScript. Additionally, he shares advanced Redux type tricks and insights into maintaining a TypeScript library. The poll results reveal the widespread usage of TypeScript among developers, with many gradually migrating their codebases. Lastly, he provides tips for upgrading TypeScript and verifying functionality.
Nuxt 3 Modules and Open-Source
Vue.js London 2023Vue.js London 2023
31 min
Nuxt 3 Modules and Open-Source
Nuxt.js modules are a central part of Nuxt and have had 14 million downloads. Creating Nuxt modules is easy with Nuxt 3. Modules can provide assets, CSS injection, plugins, and auto imports. Learning Nuxt modules gives a deeper understanding of Nuxt and extends its functionalities. The Nuxt community is friendly to newcomers and encourages module creation.
Break the Race: Easy Race Condition Detection for React
React Day Berlin 2023React Day Berlin 2023
31 min
Break the Race: Easy Race Condition Detection for React
Watch video: Break the Race: Easy Race Condition Detection for React
Race conditions can be complex to debug and reproduce, causing frustration for users. The speaker discusses examples of race conditions and ways to fix and avoid them. They demonstrate an example of an auto-completion field in React and how to handle race conditions in API calls. The speaker introduces the FastCheck framework for property-based testing to address race conditions and improve tests. Randomizing inputs and outputs can help uncover bugs specific to certain scenarios. The speaker also discusses mitigating race conditions in React and handling test overhead and reproducibility.
Making an Open Source Library Financially Sustainable
React Day Berlin 2022React Day Berlin 2022
8 min
Making an Open Source Library Financially Sustainable
The Talk discusses how an open source library, ReactFlow, was made financially sustainable. Various methods were tried, including Github sponsoring and cross financing, but a price tag was eventually added to the library. Building trust and clear expectations through ongoing support and communication with subscribers was key to gaining financial support. The issue of people not knowing how much to contribute was addressed by providing a clear pricing structure. Additional features like one-on-one support and Pro examples were added to combat the paradox of choice and encourage financial support.
The State of XState
React Finland 2021React Finland 2021
18 min
The State of XState
Over the past few years, state machines, statecharts, and the actor model have proven to be viable concepts for building complex application logic in a clear, visual way with XState. In this talk, we'll take a peek into the future of XState, including new features in the next version, and new tools and services that will make it even easier to create and collaborate on state machines.

Workshops on related topic

Node.js: Landing your first Open Source contribution & how the Node.js project works
Node Congress 2023Node Congress 2023
85 min
Node.js: Landing your first Open Source contribution & how the Node.js project works
Workshop
 Claudio Wunder
Claudio Wunder
This workshop aims to give you an introductory module on the general aspects of Open Source. Follow Claudio Wunder from the OpenJS Foundation to guide you on how the governance model of Node.js work, how high-level decisions are made, and how to land your very first contribution. At the end of the workshop, you'll have a general understanding of all the kinds of work that the Node.js project does (From Bug triage to deciding the Next-10 years of Node.js) and how you can be part of the bigger picture of the JavaScript ecosystem.

The following technologies and soft skills might be needed):
  - Basic understanding of Git & GitHub interface
  - Professional/Intermediate English knowledge for communication and for allowing you to contribute to the Node.js org (As all contributions require communication within GitHub Issues/PRs)
  - The workshop requires you to have a computer (Otherwise, it becomes difficult to collaborate, but tablets are also OK) with an IDE setup, and we recommend VS Code and we recommend the GitHub Pull Requests & Issues Extension for collaborating with Issues and Pull Requests straight from the IDE.

The following themes will be covered during the workshop:
- A recap of some of GitHub UI features, such as GitHub projects and GitHub Issues
- We will cover the basics of Open Source and go through Open Source Guide
- We will recap Markdown
- We will cover Open Source governance and how the Node.js project works and talk about the OpenJS Foundation
  - Including all the ways one might contribute to the Node.js project and how their contributions can be valued
- During this Workshop, we will cover Issues from the nodejs/nodejs.dev as most of them are entry-level and do not require C++ or deep technical knowledge of Node.js.
  - Having that said, we still recommend enthusiast attendees that want to challenge themselves to "Good First Issues" from the nodejs/node (core repository) if they wish.
  - We're going to allow each attendee to choose an issue or to sit together with other attendees and tackle issues together with Pair Programming through VS Code Live Share feature
    - We can also do Zoom breakrooms for people that want to collaborate together
  - Claudio will be there to give support to all attendees and, of course, answer any questions regarding Issues and technical challenges they might face
  - The technologies used within nodejs/nodejs.dev are React/JSX, Markdown, MDX and Gatsby. (No need any knowledge of Gatsby, as most of the issues are platform agnostic)
- By the end of the Workshop, we'll collect all (make a list) the contributors who successfully opened a Pull Request (even if it's a draft) and recognise their participation on Social media.