-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Vetting third-party open-source software
- Loading branch information
Showing
1 changed file
with
41 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| --- | ||
| title: Vetting third-party open-source software | ||
| date: 2024-06-13 | ||
| permalink: daily/2024/06/13/vetting-third-party-open-source-software | ||
| tags: | ||
| - software-development | ||
| - drupal | ||
| - open-source | ||
| cta: ~ | ||
| snippet: | | ||
| How do you vet open-source software you're thinking of adding to your project? | ||
| --- | ||
|
|
||
| Open-source software, such as Drupal modules and themes, PHP libraries and Tailwind CSS plugins, is great. | ||
|
|
||
| Instead of writing everything from scratch, if someone else has written what you need, you can use it. | ||
|
|
||
| In the Drupal ecosystem, there's a saying - "There's a module for that!". | ||
|
|
||
| But, assuming you find a project that adds the functionality you need, you should review and vet it before adding it to your application. | ||
|
|
||
| Adding too many modules and libraries can cause performance issues, add a maintenance overhead, introduce upstream bugs and add potential security vulnerabilities. | ||
|
|
||
| As well as reading the code, here are some questions I ask and things I look for when deciding to add a project or not: | ||
|
|
||
| - Does it do what I need? | ||
| - Does it add too much functionality? Is there a more minimal version that does what I need without the extra overhead? | ||
| - Does it have a stable release? If there's only a development or alpha release (which are unstable and can break at any time), I wouldn't add it. | ||
| - Is it extendable? Can I configure or extend it if I need to add more or alter it's default functionality? | ||
| - How many other websites are using it? Websites like Drupal.org and Packagist will show usage statistics. | ||
| - How many open issues are there? | ||
| - When was the most recent commit and release? | ||
| - Does it have automated tests? If so, are they passing? | ||
| - Does it have a README.md file or other documentation? | ||
| - Who are the maintainers? | ||
| - Are they responsive to issues and accepting of outside contributions? If I find a bug, can I fix and contribute it? | ||
| - Does the project have a published roadmap? | ||
|
|
||
| Finally: | ||
|
|
||
| Do I really need it? |