undefined | Better HN

0 pointsusrusr5y ago0 comments

In the Java world we have the Maven repository dependency aggregators like mvnrepository.com that accidentally serve as some kind of citeseer equivalent. I assume similar things exist for the package managers of other languages as well?

But obviously most commercial usage remains invisible. I could imagine a hybrid cultural/technological approach were dev teams publish/are allowed to publish at least usage metadata were they can't publish source (or actually contribute).

There's a huge tie-in with security, I remember heated discussions were one side tries to establish this as an audit mechanism ("how vulnerable is product x really, in terms of outdated dependencies?") and incentive for updating, while the other side is crazy scared of punishing a list of potential attack surfaces. Perhaps the implied attribution benefit should become part this discussion as well?

0 pointsusrusr5y ago0 comments

0 comments

6 comments · 1 top-level

josephg5y ago· 5 in thread

For javascript packages, npm lists which other packages which depend on any given package, and how many times a package was downloaded in the last week. That gives you a rough sense of usage, but it can also be super mysterious.

As an example, here's a package I wrote which I haven't touched in 3 years: https://www.npmjs.com/package/jumprope

There are no projects on npm which depend on this, and yet it gets downloaded about 3000 times per week. Who's using it? I have no idea. Are they running into any problems? I suppose not, I mean, there aren't any issues on github. Its kinda spooky.

usrusrOP5y ago

Thanks, just like I expected. Hopefully every at least remotely modern dependency/package manager has some sort of citeseer equivalent in its ecosystem.

And your last paragraph nicely illustrates the blindness we get from closed projects/products not publishing their dependency metadata. I suppose that for client side js a tiny subset of usage stats could be generated by CDN distribution, but repackaging is a thing (and for good reason, in many cases)

rightbyte5y ago

   Rope took 5610 ms. 0.001122 ms per iteration, 891k iterations per second
   JS toString took 3463 ms. 0.003463 ms per iteration, 288k iterations per second

I guess you have a typo there in total time?

ratww5y ago

You can possibly find some users in Github: https://github.com/search?q=jumprope+filename%3Apackage.json...

ianwalter5y ago

I really wish GitHub would invest more in the dependency graph, like allow you to sort by stars at least: https://github.com/josephg/jumprope/network/dependents

josephg5y ago

Oh good idea! It looks like Github also tracks a project's dependancy tree explicitly, though those 3000 downloads per week remain a mystery:

https://github.com/josephg/jumprope/network/dependents

1 more reply

j / k navigate · click thread line to collapse