Chronicles of the Node.js Ecosystem: The Consumer, The Author, and The Maintainer - Bethany Griggs, IBM

Transcript

1. CHRONICLES OF THE NODE.JS ECOSYSTYEM: THE USER, THE AUTHOR, AND

   THE MAINTAINER @BethGriggs_ @BethGriggs

2. NODE.JS MODULES Many are Open Source with code available on

   GitHub Promotes code sharing and reuse Over 1M modules available on npm registry

3. NODE.JS TWITTER APP • Few lines of code • Focus

   on your business logic

4. THE USER, THE AUTHOR, AND THE MAINTAINER User Author Maintainer

5. THE USER

6. NODE.JS TWITTER APP 1 external module

7. ACTUALLY A LOT OF CODE IN PRODUCTION • 49 unique

   packages • 59,564 lines of JavaScript • 6 different license types

8. MORE CODE IN PRODUCTION = MORE RISK SECURITY LICENSES MAINTENANCE

   BREAKING CHANGES COMPATIBILITY

9. SECURITY

10. STATE OF NODE.JS SECURITY 84% are moderately to very confident

    in the security of Node.js core 16% are confident that third-party packages they use are vulnerability-free https://nodesource.com/blog/the-state-of-node-js-security-in-2017/

11. SECURITY RISK MITIGATION • npm audit • GitHub security alerts

    • Lock down your package.json • Publish a package-lock.json • dependabot • Commercial security tools

12. LICENSES This Photo by Unknown Author is licensed under CC

    BY

13. I AM NOT A LAWYER This Photo by Unknown Author

    is licensed under CC BY

14. CARE? If you link with open source libraries and then

    distribute the software, you need to make sure your software is COMPLIANT with the licenses of the linked libraries

15. WHAT DO YOU MEAN DISTRIBUTE? • Transferring software between employees

    of the same company is not normally a distribution • Users interacting with an app over network, it is not a distribution for most open source licenses • Network Protective licenses (AGPL, etc.) • Hosting the JavaScript files on a public web server is considered a distribution

16. LICENSE TYPES Copyleft or Protective Weakly Protective Public Domain or

    Permissive

17. UNDERSTANDING LEGAL SPEAK • Software Licenses in Plain English -

    https://tldrlegal.com/ • GitHub Licenses:

18. WHICH LICENSES AM I USING?

19. MAINTENANCE This Photo by Unknown Author is licensed under CC

    BY-SA

20. MAINTENANCE • Are you using a deprecated module? • Are

    issues in the module being fixed? • Are there regular releases? • How active is the development? • How many maintainers are there?

21. ANALYZERS • GitHub Insights • npm ”search by quality” which

    is based on https://npms.io/

22. HOW CAN I MANAGE THIS RISK? CONTRIBUTE BACK! FINANCIAL SUPPORT

23. BREAKING CHANGES

24. SEMANTIC VERSIONING 1 . 7 . 3 Breaking Feature Fix

25. BREAKING CHANGES • How strictly are the authors/maintainers following the

    versioning scheme? • How often will I have to update major versions?

26. COMPATIBILITY

27. THE USER

28. THE AUTHOR

29. MORE POPULAR = MORE RISK SECURITY LICENSES MAINTENANCE BREAKING CHANGES

    COMPATIBILITY

30. SECURITY

31. SECURITY • Is there an expectation you will respond and

    fix security vulnerabilities? • Can you commit to fixing them in a timely manner? • Can you cope with the influx of reports?

32. LICENSES This Photo by Unknown Author is licensed under CC

    BY

33. LICENSE https://choosealicense.com/

34. MAINTENANCE

35. MAINTENANCE • Expectations for responses? • Expectations for bug fixes?

    • Expectations for feature requests?

36. BREAKING CHANGES

37. BREAKING CHANGES • How does the module author know which

    other modules are relying on their module? • A bug for one user might be a feature for another • How can they test the impact of their changes?

38. COMPATIBILITY • How to they keep up their module up

    to date with Node.js major releases? • How can they manage the expectation of which release lines they support?

39. HANDING OVER MODULES • How and who can module authors

    ask for help? • How can they find someone trustworthy to hand the module over to?

40. FLATMAP-STREAM https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident

41. THE AUTHOR

42. THE MAINTAINER

43. NODE.JS PACKAGE MAINTENANCE TEAM

44. THE USER, THE AUTHOR, AND THE MAINTAINER User Author Maintainer

45. THE AIM? • Document best practices for module authors and

    maintainers • Document processes for authors and maintainers to follow in certain situations • Promote responsible and sustainable consumption of modules • Encouraging clearer and closer communication between users, authors, and maintainers

46. UNDERSTANDING THE STATE OF THE ECOSYSTEM • Surveying the state

    of the ecosystem • What are the most common problems user, authors, and maintainers are facing? • What are the most time-consuming tasks?

47. PILOT PACKAGES – EXPRESS ✈ • Key problems identified: •

    Status of issues across all the Express modules • Struggling to keep up with the issues raised

48. SOLUTION - TRIAGING EFFORTS • Define best practices for triaging

    issues • Define a pathway for volunteers to help modules • Package Maintenance team has successfully recruited volunteers to help with Express triage

49. STATUS BOARD https://expressjs.github.io/statusboard/

50. PACKAGE MAINTENANCE BEST PRACTICES

51. PACKAGE.JSON SUPPORT INFORMATION • Target • Response • Backing

52. PKGJS – TOOLING • Although handled by the Node.js Package

    Maintenance • Separate GitHub organization named pkgjs to allow us to build prototypes

53. DEPENDENTS

54. DETECT NODE SUPPORT

55. WIBY – WILL I BREAK YOU? • Help module authors

    test whether changes they are making will impact their downstream modules. • Think dependabot but for testing whether you as an author are breaking the modules depending on you

56. NEXT STEPS • Continue seek consensus on best practices for

    module consumers, authors, and maintainers • Continue to build tooling to support consumers, authors, and maintainers • Support more modules in need of help by recruiting triagers • node-fetch

57. GET INVOLVED! • Check out our guidelines – if you

    disagree let us know! • Help build tooling to support module users, authors, and maintainers • Become a maintainer – help triage issues and contribute to popular modules HTTPS://GITHUB.COM/NODEJS/PACKAGE-MAINTENANCE

58. CHRONICLES OF THE NODE.JS ECOSYSTYEM: THE USER, THE AUTHOR, AND

    THE MAINTAINER @BethGriggs_ @BethGriggs