Written by Jamie Tanna
on 
CC-BY-NC-SA-4.0 Apache-2.0
2 mins

Introducing dmd, a command-line tool for Dependency Management Data (DMD)

Featured image for sharing metadata for article

I've been doing a lot of work recently around the dependency data of various projects, which stems from a post and idea of mine from a while ago about monetising the supply chain.

Separate to that lofty goal - especially as there are some tools like socket.dev and StackAid working towards this - is just being able to get some insight into the way that your organisation uses both Open Source and your own internal packages.

As mentioned on the Dependency Management Data site:

Dependency Management Data is a set of tooling to get a better understanding of the use of dependencies across your organisation.

We've been using this as a way to do work out various things like:

  • what versions of AWS/Datadog/etc SDKs are we using, and are any hugely out-of-date?
  • where are we using deprecated (internal) packages, that we'd ideally want to move people along from?
  • where are we using versions of dependencies that have known issues (security or otherwise)?
  • where are we using golangci-lint as a source-tracked dependency instead of as a binary download?

As part of this, I've built a couple of tools, renovate-graph and dependabot-graph to make the data collection process much easier, and then there is a set of scripts that converted from the raw JSON formats to an SQLite database for easier querying.

Over the last few months of doing this a fair bit, and getting more appreciation for the data model, I've finally gotten around to writing a tool for this, installable as dmd.

Right now, this includes the ability to bootstrap the database from renovate-graph or dependabot-graph exports, but as highlighted in the issue tracker, there's quite a few other things I'd like to do with it, like crowdsource common queries that others may find convenient, as well as highlighting packages that are running end-of-life versions of software according to endoflife.date.

I'd also love to hear what other use cases y'all may have for this, or what may be interesting. I've gotten a lot out of this, as have some of my colleagues, and I'm sure others would be able to get some good usage.

If you're interested in giving it a go, check out the example repo, which includes a pre-seeded database to trial.

Written by Jamie Tanna's profile image Jamie Tanna on , and last updated on .

Content for this article is shared under the terms of the Creative Commons Attribution Non Commercial Share Alike 4.0 International, and code is shared under the Apache License 2.0.

#dependency-management-data #announcement #go.

This post was filed under articles.

Interactions with this post

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.