deps.fyi

⚠️

FYI, it looks like you're not yet using deps.fyi!

This means you're missing out on some crucial insights into your organisation's usage of Open Source and internal dependencies such as:

  • Where are we using known end-of-life or unmaintained software?
  • Which "banned" dependencies are we using in our organisation?
  • Where are internal + external projects at risk of supply chain security attacks?
  • How can I handle that dependency moving to a non-OSI approved license?
  • Which maintainers are my organisation most reliant on, and who should we be funding?

You should sign up to register interest, and be notified when you're able to start getting these insights 👀

What is deps.fyi?

deps.fyi is a SAAS platform for understanding your organisation's usage of external and internal software dependencies, which is built on top of - and in concert with - the Dependency Management Data project (aka DMD).

However, the SAAS platform will provide a number of Enterprise-only features and integrations, on top of ⚡ supercharging ⚡ the utility of DMD in your organisation's adoption.

On top of the existing functionality available in the upstream Open Source (Apache-2.0 licensed) project, you can also get Enterprise-focussed features, such as:

FYI for teams

Help your engineering teams by having a more actionable team-level view of their repositories, components and dependencies. Feed in information from your service catalog (i.e. Backstage) and source control platform (i.e. GitHub, GitLab) to enrich the view of the data.

Additionally, empower them to provide their own view on metadata, such as "our Go services shouldn't use ginkgo" or "we should have a minimum of Typescript xx across all customer-facing applications".

FYI for operational incidents

If you discovered that there was an issue with a dependency (either for an operational/performance risk, or a security risk) how would you distill which part of the organisation is affected?

For instance, read this example of Deliveroo used DMD to respond to an incident and what they did to triage and better prioritise the necessary work.

FYI for Open Source Program Offices (OSPOs)

Help your organisation better engage with the vast web of software that you so heavily depend on, understanding where to better send funding or otherwise give thanks to key maintainers and projects that deserve it.

Understand from commonly used metrics the health of key dependencies, and where this could lead to risk for the organisation.

FYI for risk

Help security responders understand where in the organisation given dependencies are used, and how to get in contact with owning teams, including triggering straightforward upgrade paths.

Alternatively, support your legal team with understanding where there could be problematic usages of dependencies which use licenses that your organisation wishes to avoid.

Alternatively, find dependencies used in critical parts of your organisation but that are either not being maintained upstream, or is not being regularly updated by teams.

FYI for leadership

Get a high-level view of the risks and areas for improvement your reporting structure has, and get insights into how your teams are responding to their ever aging dependency tree.

FYI for "should I use this dependency"

Provide actionable up-front insights for your teams into whether they should use that dependency, before it lands in your production code.

How can I keep up-to-date with news?

Thanks for reading this far, and your interest!

You can sign up to the waitlist.

There will also be updates via our account on Bluesky, @deps.fyi.

We'll have an RSS feed coming soon!