Software projects have a lot of open source dependencies nowadays and we as developers are in need of more tools to help us keep on top of all of those dependencies and find out if any that we use are incorrectly licensed, marked as deprecated or unmaintained by their authors or have potential security vulnerabilities.
It can be time consuming to manually review all of those dependencies so often developers don’t bother, which over time can lead some some serious technical and potentially legal debt in their code bases.
When it comes time to do due diligence or compliance checks you might find out that you’re heavily dependent on a library with a conflicting or missing license which could mean having to rework the code that depends on it.
Dependency CI integrates directly into your GitHub work flow just like a traditional CI system, running a set of configurable tests on any dependencies it detects in the code base checking for unlicensed, deprecated or unmaintained libraries that your code depends upon.
This works great with pull requests allowing you to find any potentially bad dependencies being added before you merge them in and ship them to production and get notified directly in the GitHub interface, via email or slack.
It’s built on top of Libraries.io, which gives it access to meta data on over 1.5 million open source libraries which is updating over 200 times per day with the latest updates from over 30 different package managers.
Dependency CI currently supports checking dependencies from 21 popular package managers including NPM, Rubygems, Maven, CocoaPods, Packagist, Bower and NuGet.