Dependencies
4th August 2024
My philosophy on dependencies is to have few as possible, but not fewer. Apart from whether the project (dependency) is actually good, there are really only 3 things I look for:
Popularity: Is it popular? The unfortunate reality is that the more people that depend on it, the more likely it is to be maintained and battle-tested in production. The proxy I use for popularity is usually the number of Github stars, or downloads for something like a Docker image.
Maintainer: Is it backed by a company, individual, or group of individuals? Or is it used by large companies? Company backed, commercially sponsored projects are also way more likely to be maintained. If a single contributor has 90% of the code changes, I don't have as much confidence in the project, as it has a single point of failure.
Last updated: When was the last commit? If it's been a few years, it's probably not being actively worked on. Also is the original author still involved? Usually new maintainers are not as invested in the project as the original author.