惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园_首页
F
Full Disclosure
Martin Fowler
Martin Fowler
The GitHub Blog
The GitHub Blog
L
LangChain Blog
T
The Blog of Author Tim Ferriss
D
DataBreaches.Net
GbyAI
GbyAI
Y
Y Combinator Blog
博客园 - Franky
WordPress大学
WordPress大学
Apple Machine Learning Research
Apple Machine Learning Research
A
About on SuperTechFans
Blog — PlanetScale
Blog — PlanetScale
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
G
Google Developers Blog
罗磊的独立博客
Hugging Face - Blog
Hugging Face - Blog
博客园 - 三生石上(FineUI控件)
IT之家
IT之家
Jina AI
Jina AI
N
Netflix TechBlog - Medium
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Recent Announcements
Recent Announcements
酷 壳 – CoolShell
酷 壳 – CoolShell
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - 聂微东
腾讯CDC
H
Help Net Security
H
Heimdal Security Blog
J
Java Code Geeks
C
CXSECURITY Database RSS Feed - CXSecurity.com
T
The Exploit Database - CXSecurity.com
The Register - Security
The Register - Security
大猫的无限游戏
大猫的无限游戏
T
Threatpost
B
Blog RSS Feed
T
Threat Research - Cisco Blogs
Microsoft Security Blog
Microsoft Security Blog
S
Securelist
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
B
Blog
量子位
AWS News Blog
AWS News Blog
Project Zero
Project Zero
P
Proofpoint News Feed
Cisco Talos Blog
Cisco Talos Blog
Spread Privacy
Spread Privacy
S
Schneier on Security

Yusuf Aytas

When Code Is Cheap, Does Quality Still Matter? Why Crouching Tiger, Hidden Dragon Is a Masterpiece Why We Ignore Advice The Mirror Is Part of the Machine When Too Many Maps Overlap on One Person The Work Runs on Different Maps Your Work Introduces You Trial By Fire The Dude Why Headcount Math Lies Capacity Is the Roadmap The Roadmap Is Not the System Torres del Paine W Trek Escaping Status Theater Incentives Drive Everything Scaling Culture Without Dilution What Good Looks Like Why Airport Security Feels Random Why Politics Appear How to Work with Me The Janus Protocol Multi-Horizon Delivery Framework What Good Execution Looks Like Managing Your Manager Why Kingdom of Heaven’s Director’s Cut Is Better AI Broke Interviews Most of What We Call Progress Managers Have Been Vibe Coding All Along Stop Wasting Brainpower Why Over-Engineering Happens Prisoner's Dilemma Climbing No More The Weekly Win Mevlana Candy Brewing Turkish Tea Onboarding Your Engineering Manager Technical Deep Dives Yapay Zekâ Çağında Bilgisayar Mühendisliği Building Remote Teams From Idea to Launch in 2 Weeks Reflecting on Software Engineering Handbook Representing the Business New Manager Survival Guide Take Self Reviews Seriously Chasing Real Respect The Invisible Difference Learning the Johari Window Management is a Lonely Place Simple Task Management AI Balance in Work PIP Manager Insights Engineering Manager Interview Preparation Work-Life Balance as a Manager Bridging the Management Disconnect Tech Hiring Bubble Bursts Traits for EMs Simple Acts of Recognition Matter The Question I Ask Every New Report The Reality of an Employer's Market Bridging Ideals and Reality Hiring Red Flags Why The Godfather Is So Damn Good Subteam Tenets No Fluff Please Losing a Top Performer Balancing Act of Reliability Building Trust in Engineering Teams Ideal Number of Direct Reports Overriding a People Leader’s Decision From Misperception to Promotion Perception vs Perspective Setting Goals From Engineer to Manager Getting Delegation Right Interviewing Your Future Boss Celebrating Our Book in Iceland Operational Skills Needed On Writing Software Engineering Handbook Charlie Munger Quotes Working with Dependencies From Las Vegas to Canyons Navigating Layoffs Handling Competitive Dynamics A Weekend Getaway to Malta Engineering Health Essentials Should Dev Managers Code? Confronting the Life on Pause Winning Eleven Kindness is A Choice Bireysel Katılımcılar ve Yöneticiler Leading from Where You Are The Subtle Art of Listening Coding in Leadership The Power of Consistency The Making of a Leader The Path to Leadership Embracing TikTok Talent Sourcing Journey Leading Self Managing Teams Cracking Coding Bottlenecks
Before You Import That Library
Yusuf Aytas · 2019-08-07 · via Yusuf Aytas

Published · 7 min read

Software development depends a lot on open source projects. From operating systems to editors, we use open source software everywhere. Nevertheless, we should be careful about what we are using. We should potentially go through a checklist to see if the software meets our expectations. If there doesnʼt exist a guideline for the company or the team, we should set up one.

Open source is one of the biggest enablers of modern engineering but also one of the largest sources of hidden risk. The same libraries that accelerate development can introduce vulnerabilities, compliance issues, or long-term maintenance costs if not properly vetted. In earlier discussions like Engineering Roles and Responsibilities, I emphasized how defining ownership helps mitigate such risks. This post dives deeper into that principle from the lens of open-source dependency management.

So, without further ado, letʼs see what we should check before using open-source software.

Open Source

Security

A problematic open source software can open up a huge risk for your product. What should developers do for potential vulnerabilities? The least that can be done is to use the national vulnerability database, common vulnerabilities and exposures, and OWASP dependency check.

Unfortunately, security vulnerabilities often get discovered months later. Even worse, there are cases where the vulnerabilities are discovered after years. Thus, we should constantly check the dependent libraries and possibly automate it by OWASP dependency check plugins.

Correctness

Open source projects are written to address different problems. Nevertheless, there are times where the open source software struggles to deliver the very premise of a correct solution. For example, one can expect a distributed lock to provide atomicity over threads and processes. In reality, you can find out this isnʼt the case. It can be hard to realize such problems since the project can have big community support or many stars… I suggest reading a bit of code of the project before committing to it. I know it would take time to dive into the code but itʼs better than getting paged for an unforeseen reason.

No matter how popular a library is, trust must be earned by validating its correctness.Stars and downloads are not proxies for those guarantees.  Before integrating any dependency, run focused validation: trigger edge-conditions, simulate failures, test concurrency boundaries, and ask “under what assumptions does this break?”

License

Open source software development licensing is one of the first things you need to check. If you aren’t comfortable with licensing, I recommend checking out common licenses. The way you would handle the licensing part depends on the intent etc. For some cases, you might need to get some legal advice as well. On the other hand, there are standard licenses like Apache that you can expect you won’t have many headaches. The trouble here is about checking dependent software licenses since one project depends on another. You can automate license checking as well by using different tools based on the languages and platforms.

License compliance is a technical safeguard. Violating even a single transitive dependency’s license can jeopardize a product release or expose a company to lawsuits. Many applications contain components with unclear or incompatible licenses, primarily due to nested dependencies. 
Automated scanners are helpful, but they don’t replace human review. The goal isn’t to block open-source adoption. It’s to understand your obligations. Integrating license checks directly into CI/CD, much like compliance or security validation, ensures alignment between engineering speed and legal safety. If a dependency’s license conflicts with your product model, for example, GPL in a closed-source service, treat it as a production risk Replacing it early is far cheaper than refactoring later.

Here's a table for some of the licenses for a quick reference.

LicensePermissionsRestrictions / ObligationsBest For
MITCommercial use, modification, distribution, private useMust include copyright and license noticeSmall libraries, permissive use
Apache 2.0Commercial use, modification, patent use, distributionMust include notice; provide license; state changesCorporate or SaaS integration
GPL v3Commercial use, modification, distributionCopyleft – derivative work must be open sourceDeveloper tools or standalone apps
LGPL v3Commercial use, linking, modificationLibrary changes must be open; linking allowedShared libraries, plug-ins
BSD 2-Clause / 3-ClauseCommercial use, modification, distributionRetain copyright notice; no endorsement impliedInfrastructure or network code
MPL 2.0Commercial use, modificationMust open modified files only (not whole codebase)Large modular systems
EPL 2.0Commercial use, modification, distributionMust disclose modified files under EPLEnterprise frameworks
CC BY-SA 4.0Copying, redistributionMust credit and share under identical termsDocumentation or media assets

An active community is an important aspect of open source software. Before deciding to adopt a solution, you should check if issues are being addressed, if bugs are being tracked, and if it has guidelines or sufficient documentation. A quick research on the project page and potentially StackOverflow might give you some idea about the community support. Yet, sometimes it’s hard to find an open source solution with a good community. In that case, the question is whether you want to contribute back to the project when you hit a dead end. Contributing to open source projects is always fun, so why not?

A healthy community is a proxy for the project’s long-term stability. If bug reports are ignored, documentation is stale, or maintainers respond slowly, you might get into real trouble. When evaluating community strength, look for measurable signals. Some examples are contributor churn, issue close rate, average response time, and diversity of maintainers. A project supported by multiple organizations (high “elephant factor”) is more resilient than one dominated by a single developer.

Stability

The stability is another aspect to look for. If the open source software changes a lot and you don’t think you can keep up with the changes, perhaps this isn’t a good choice for you. Even in the stable open source software, you should lean towards stable releases. For example: if you have a new version of a project, I would recommend waiting a bit than upgrading since for every new release there would be potential problems. It’s better to wait for issues to be fixed and hope to get the release to reach some maturity.

In production systems, change frequency is a form of risk. Projects with rapid release cycles can introduce unseen regressions, undocumented API shifts, or untested dependencies. Stability isn’t just about how often code changes but also whether change is predictable and reversible. You can manage part of the risk by pinning dependency versions. 

All in All

Today’s software development can’t be done without the help of open source projects and products. Whenever we want to introduce an open source dependency, we should go through at least some of the topics discussed here. Personally, I recommend checking out security and then the solution. Both security and correct solutions matter a lot since you don’t want your product to have security holes as well as unexplained bugs.

Treat dependency evaluation like code review, systematic, repeatable, and documented. Every library you adopt becomes part of your supply chain, so the same care you apply to internal systems should apply here. Building this discipline ties directly to your broader engineering culture.

A small amount of diligence up front prevents costly rework, unplanned incidents, or compliance surprises later. Open source isn’t “free”; it’s a shared responsibility. One that rewards those who check first, then use.