Show HN: Dependency CI – Continuous testing for your dependencies

This is a very interesting service, thank you!<p>May I ask you for some little thing that might change the (development) world? Would you <i>please</i> like to introduce a folder, where people might put their dependency.yml file - this is an effort to finally stop the spreading cancer of &quot;put one more config file into the project root&quot;.<p>I would like to suggest to call that folder simply &quot;config&quot; - all the projects and tools out there should have no problem with that. Optionally there could be <i>one</i> top level config file called &quot;config.rc&quot; - this file points to the actual config dir if it is not &quot;config&quot;.<p>It would be verrry nice if one service just starts with that and hopefully all the others will follow and it will become a defacto standard. The pollution of the top level project directories really must stop.<p>Thank you!

I’ve been working on Dependency CI along with <a href="https:&#x2F;&#x2F;libraries.io" rel="nofollow">https:&#x2F;&#x2F;libraries.io</a>, the service that powers it, in my spare time for the past few months, it’s great to finally get it out into the real world.<p>Dependency CI works like Travis CI but for the dependencies of your application, checking them for license and status issues every time you push to GitHub.<p>I&#x27;ve written a up a post on medium with more details: <a href="https:&#x2F;&#x2F;medium.com&#x2F;@teabass&#x2F;introducing-dependency-ci-e859fa138eb6" rel="nofollow">https:&#x2F;&#x2F;medium.com&#x2F;@teabass&#x2F;introducing-dependency-ci-e859fa...</a><p>It’s 100% free for open source projects and there’s a 14 day free trial for checking private github repositories too.

I&#x27;ve known Andrew for a few years and what I love about this is how it reflects him as person: someone who loves bringing people together. Dependency CI seems to me to be a manifestation of that. Hopefully one effect of Dependency CI, if (when) it becomes popular is that it raises the bar for the stability of projects that other people depend on. We&#x27;re all in this together. Keep up the great and inspiring work Andrew!

Similar to Greenkeeper or requires.io, but with a larger range of languages supported. Very interesting.<p>As a side note, I recommend creating a separate github account when granting permission to this kind of 3rd party. Don&#x27;t grant them full read&#x2F;write on your repos, create an account that&#x27;s temporarily admin, then make that account read only.

The Debian project&#x27;s Continuous Integration project [1] re-tests all dependent objects whenever a dependency within the Debian archive changes. This way, changes that might negatively affect dependents can be caught early.<p>This is immensely useful, especially to the maintainers of libraries.<p>In order for them to be tested, dependent objects have to declare their testability using the autopkgtest [2] interface.<p>[1] <a href="https:&#x2F;&#x2F;ci.debian.net&#x2F;" rel="nofollow">https:&#x2F;&#x2F;ci.debian.net&#x2F;</a><p>[2] <a href="https:&#x2F;&#x2F;people.debian.org&#x2F;~mpitt&#x2F;autopkgtest&#x2F;README.package-tests.html" rel="nofollow">https:&#x2F;&#x2F;people.debian.org&#x2F;~mpitt&#x2F;autopkgtest&#x2F;README.package-...</a>

There are plenty of other services in this space (see below for a couple). I hadn&#x27;t heard of Dependency CI and what immediately impresses me is the number of different package managers supported.<p><a href="https:&#x2F;&#x2F;gemnasium.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;gemnasium.com&#x2F;</a><p><a href="https:&#x2F;&#x2F;www.versioneye.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.versioneye.com&#x2F;</a>

OP- Do you have a roadmap to supporting this outside of GitHub? I think the people that benefit most from it, due to corporate policies and outdated deps, are the people least likely to be using GitHub!<p>Everyone else - Is this a general problem with people locking these (very cool) tools to GitHub? Is there a generalised solution to the problem of source control integration?

For JavaScript and Python developers, there is a newish service called Doppins (from Norway!) that I&#x27;ve really been enjoying for my open source projects: <a href="https:&#x2F;&#x2F;doppins.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;doppins.com&#x2F;</a><p>No conf required other than your normal requirements.txt, sends you a PR whenever there are new versions available. Cracking stuff.

Having gotten to know Andrew a bit over the last few months, I can wholeheartedly say that he cares a lot about the open source community. DependencyCI and Libraries.io are labours of love and craftsmanship!

Great work on this, looks very useful. Does it only work with GitHub? Would love to have this for my private GitLab instance

Great idea! My company requires external libraries licenses to be revieved every half a year and it usually takes a couple of days to do so. Your project could be a real time-saver. Unfortunately the integration with Maven does not seem to work in most cases, if it did I would already have sent the link to our CTO.

Isn&#x27;t this the actually the wrong solution? I thought I was told I should be pulling my dependencies into my own cloned repos. Then my project uses my clones. When I want an update I test it out, update the cloned repo and update the project to use the latest tag&#x2F;hash of my cloned repo. Isn&#x27;t that what pretty much all the top projects do?<p>This way everything is under my control. What good is it if I&#x27;m told my dependencies has been deleted? And then I what? Copy my old dep from my dev machine to a cloned repo and point to that? Isn&#x27;t that the same step as above?<p>Or maybe I just don&#x27;t get it.

Cool concept! Is the spec for the dependency.yml file open source? Would be cool to see something like it become a standard: it&#x27;s a concern for the project owner, but also for the project clients&#x2F;users.

What would be really interesting is a service that would tell me the build status and code coverage metrics for each version of a dependency I use in my project (and each dependency they use their projects and so on).<p>Even more interesting would be something that would attempt to force code coverage analysis on projects that use a standard testing framework, have a certain amount of tests present, but don&#x27;t have CC configured in their project.<p>At first I was thinking that is what this service did but it doesn&#x27;t appear to be the case.

There&#x27;s also a somewhat similar service a friend and myself evaluated a couple of months ago, we had similar ideas but we eventually let go of our prototype because of &quot;fear&quot; of said competition ...<p>DepdendencyCI already did better than us in that regard and it seems like they are doing an an all-around great job (I especially like the multi language support)! :)<p><i>Hattip</i> to the team!

I added my project and the service claims it has 0 dependencies (Listed in the build.gradle file).<p>Bug?<p><a href="https:&#x2F;&#x2F;dependencyci.com&#x2F;github&#x2F;RichTeaLang&#x2F;RichTea" rel="nofollow">https:&#x2F;&#x2F;dependencyci.com&#x2F;github&#x2F;RichTeaLang&#x2F;RichTea</a>

For python developers - why does not any CI out there support Conda - out of the box.. :(

Very interesting, but I can&#x27;t seem to sign up for the trial to use on private repositories.

Great idea! Would love also MVP version of that which help you pick better dependencies.

This would be super useful for making sure left-pad is still functioning.

Would be cool if it could support Puppet modules.

Very proud of Andrew&#x27;s tenacity and ability to offer a simple solution to a problem that strengthens the open source community rather than ruminating and&#x2F;or grand standing about it.