Show HN: Shouldiuse.dev – Software dependency health checker

 (shouldiuse.dev)

10 points | by louis_w_gk 7 hours ago

4 comments

  • SCUSKU 6 hours ago
    Tried a public repo but it asked for a personal access token? No thanks. Otherwise great idea, but why should I give a personal access token for something that's publicly available, it really does not inspire confidence.
    [-]
    • pmig 5 hours ago
      Thanks scusku, the personal access token does not have any additional permission, we just need to avoid getting rate limited.
      [-]
      • Sleaker 5 hours ago
        Sharing a GitHub API token to bypass rate limiting is explicitly in violation of section H of the terms on GitHub usage.

        https://docs.github.com/en/site-policy/github-terms/github-t...

        [-]
        • pmig 5 hours ago
          Most applications are designed in that way, think about ossf scorecard, star-history.com etc..
      • kissgyorgy 5 hours ago
        Why don't use your own personal access token?
        [-]
        • pmig 5 hours ago
          We did, bur ran into the API limits as oder/scorecard alone is quite expensive on GitHub request
          [-]
          • rglover 5 hours ago
            Implement an OAuth flow with Github and then you can avoid that entirely.
            [-]
            • pmig 5 hours ago
              Gods point, will work on that!
        • dylan604 5 hours ago
          never pay for something yourself when you can have someone else pay for it. it's a useful concept that can be used in many many cases. the 1%ers love this concept
  • woodruffw 6 hours ago
    This should come with a heavy caveat: it’s based on heuristics, and heuristics can be wrong (at best) or maliciously gamed (at worst).

    I wish companies would take a simpler approach: stop intermediating your open source interactions through middlemen, and work directly with your upstreams. You might discover that you have too many to work with, in which case you’ve laid the problem bare rather than obscuring it with metrics and policies.

    [-]
    • pmig 5 hours ago
      Thanks for the feedback, shouldiuse.dev gave us a lot of information on the first glance.
    • mentalgear 5 hours ago
      can you explain/expand?
      [-]
      • FlyingAvatar 5 hours ago
        If you have a dependency that is simple and stable, it could appear unmaintained since it doesn't have a lot of recent commits, bug reports, comment history, etc.

        If a library author wants to make their package "look" maintained for some reason, they could generate superfluous commits and open and close fake bug reports. This could be a "good" signal to the heuristic, but has no real world benefit or worse-case could be used to lend credibility to a package with known vulnerabilities.

        [-]
        • pmig 4 hours ago
          We actually check from how many different organization the last committers belong to and analyze if the most recent commits have be done by bots (like renovate or dependabot)
  • kissgyorgy 5 hours ago
    The only thing crazier than asking for a personal access token is that people probably do it.
  • jacooper 4 hours ago
    Why not open source it? It's almost fully vibe coded anyway