I try to minimise the impact of security vulnerabilities, but it just seems painstaking to look through a ton of code. Is there processes that people/companies follow that decrease the time taken to do this?
- how recent was the last commit?<p>- what is the license? (Avoiding copyleft headaches)<p>- do the issues look cared for?<p>- is there an issue asking “is the project maintained any longer?”<p>- what business or person is behind the project? What is their motive for creating the project?<p>- how much of an impact would it be if the project disappeared tomorrow? Could I maintain a fork or rebuild it? Is it core business functionality or a side thing?<p>- do others at my company use it? Or do they have a different library/etc for solving the problem?
I check if it's on a list of libraries that we're allowed to use in our bank (my employer). Then I learn that the list is a total mess, the people in charge of it have been purged in the latest round of cost-saving-inspired firings and apparently no one was assigned this responsibility after that. Then I just use whatever I want.
Just the basics: number of installs, activity of maintainers, the "feel" of their Github repository.<p>I have never had the need (nor was I asked) to vet code in depth before adding a dependency.
Ideally you can use the libraries provided by your linux distribution / vendor, and they can do the heavy lifting and economies of scale can be taken advantage of.<p>Even if you're not actually running your code on Debian / RHEL / whatever, using libraries that are distributed by those vendors where possible is a good start.