pm
go-licenses
pm | go-licenses | |
---|---|---|
1 | 1 | |
3 | 788 | |
- | 2.9% | |
0.0 | 2.8 | |
almost 2 years ago | 10 days ago | |
Go | Go | |
MIT License | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
pm
go-licenses
-
Shouldn't have happened: A vulnerability postmortem
> I don't think the exact URL is the problem, it is the fact that it is so easy to include dependencies from external repository that is the problem. In Rust every non-trivial library pulls in 10s or even 100s of dependencies.
But it's also quite a lot easier to audit those dependencies, even automatically (incidentally, GitHub provides dependency scanning for free for many languages).
> Then there is the issue of licencing - how to verify that I am not using some library in violation of its licence and what happens if the licence changes down the road and I don't notice it because I am implicitly using 500 dependencies due to my 3 main libraries?
This is also an automated task. For example, https://github.com/google/go-licenses
> go-licenses analyzes the dependency tree of a Go package/binary. It can output a report on the libraries used and under what license they can be used. It can also collect all of the license documents, copyright notices and source code into a directory in order to comply with license terms on redistribution.
> Rust and Go have solved memory safety compared to C and C++ but have introduced dependency hell of yet unknown proportions.
I mean, it's been a decade and things seem to be going pretty well. Also, I don't think anyone who has actually used these languages seriously has ever characterized their dependency management as "dependency hell"; however, lots of people talk about the "dependency hell" of managing C and C++ dependencies.
> Python and other dynamically typed languages are in a league of their own in that on top of the dependency hell they also do not provide compiler checks that would allow user to see the problem before the exact conditions occur at runtime.
I won't argue with you there.
What are some alternatives?
keel - Kubernetes Operator to automate Helm, DaemonSet, StatefulSet & Deployment updates
gitgen - Generate license and gitignore files from Go without an internet connection. It also has a convenience CLI, but can be used as a library as well
automaxprocs - Automatically set GOMAXPROCS to match Linux container CPU quota.
addlicense - A program which ensures source code files have copyright license headers by scanning directory patterns recursively
JDK - JDK main-line development https://openjdk.org/projects/jdk
ort - A suite of tools to automate software compliance checks.