Deadpendency Getting Started

Installation

Go to the Deadpendency app on GitHub marketplace and install it. Select which repositories to install the GitHub app on.

How Deadpendency Works

Here is a quick high level overview of how Deadpendency works.

  1. Push a commit to your repository.
  2. The top 2 programming languages used in your repository are identified.
  3. The default dependency files of these programming languages are read.
  4. Additional dependencies, or dependency files can be loaded via config.
  5. All found dependencies are assessed for project health.
  6. A report is produced. The 'check' will fail if the dependencies are not healthy.

Using Deadpendency

Start by pushing a commit to your repository. It may be best to start with a pull request.

Deadpendency will run, producing a report. There are a few possible results from the report.

No Dependencies Found

This is due to either using a non-supported language, or more likely, your dependency files are in non-standard locations.

Refer to language support for the default dependency files loaded. You may need to configure additional dependency files in the config.

The Check Passes 😊

This indicates that all your dependencies are actively being maintained. Deadpendency will continue to monitor your dependencies as new commits are pushed. Nothing to do here.

The Check Passes with Warnings 🤒

This indicates that some of your dependencies have health concerns. For example, there may be no commits within the last year.

Warnings highlight dependencies that may become problematic in the future, but are not yet of concern. They can be reviewed at your discretion.

Only failures should require your immediate attention, which is why the warnings still constitute a 'pass' of the check.

The Check Fails 🧟‍♀️

This indicates that some of your dependencies have serious health concerns. For example, they may have been flagged as deprecated.

At this point you should review the failures. You then have a few options.

Ignore the failing dependencies

Sometimes there is no choice but to depend on an inactive or unhealthy dependency. For example, there may be no viable alternatives.

In this case it is recommended to ignore the dependency from being checked by Deadpendency.

Adjust your failure thresholds

Depending on your ecosystem, different failure thresholds for Deadpendency may make sense. Or you may decide to disable (or set as a warning) some checks entirely.

It is recommended that you tune the checks so that failures are rare. Thus when they do happen, you know it is worth your attention to assess the dependency.

Switch to an alternative

Ideally, if a dependency is no longer going to be well maintained, you should switch to an alternative that is well maintained. The most clear cut cases are when dependency X is deprecated in favor of dependency Y.

Using Deadpendency Long Term

It is recommended to keep your Deadpendency check passing, by ignoring or switching away from 'dead' dependencies.

Then, as you work on your project and push commits, Deadpendency will monitor your dependency health. You can largely ignore the check until you see a new failure.

Keep Reading

Check out the documentation page for more specific details of Deadpendency.

Feedback

If you get any unexpected behavior, or if you want a specific feature, please give feedback via this GitHub repository.