Do you know how many of your dependencies are unmaintained? Here’s how to find out.

Jeff Stern
by Jeff Stern
on June 4, 2019

Did you know that for many applications, up to 20% of their open source dependencies may be completely unmaintained? We've been tracking unmaintained dependencies as a statistic since launching our new dependency analyzer about a month ago. Now we’ve examined an array of package manager files from different organizations and have found that 20% may even be a conservative estimate for some ecosystems.

In a recent survey, we found that professional developers say they spend about 30% of their time on code maintenance, and at least 20% of that time is spent managing dependencies. This is time that you’d probably rather be spending working on the features that make your app unique, not dealing with issues in underlying open source components.

This is why we created the Tidelift Subscription. It’s a managed open source subscription that can save you time and reduce risk by continually improving the open source packages your app uses. And it’s backed by the creators and maintainers who created those packages in the first place. Your subscription pays the maintainers of the exact packages you use, which means more and more of them will have the incentives in place to keep their packages working well.

Which brings us back to your dependencies. Do you think less than 20% of your packages are unmaintained? Our dependency analyzer can give you the answer and much more. You just upload your project manifest and lock files (no code necessary), and we’ll send you a report that answers the following questions:

  • Which of your dependencies are unmaintained?
  • Do any of your dependencies have a known vulnerability?
  • Which dependencies should I update? And to which version?
  • Which licenses are my dependencies using?

Want to better understand the current health of your own app’s dependencies? Try the dependency analyzer and find out!

 

For best results, upload a pair of package manager files including the manifest (example: Gemfile, package.json) and the corresponding lock file (example: Gemfile.lock, yarn.lock).

See all supported files

2018 open source survey results