oliverdavies.uk/source/_daily_emails/2024-06-13.md

---
title: Vetting third-party open-source software
date: 2024-06-13
permalink: daily/2024/06/13/vetting-third-party-open-source-software
tags:
  - software-development
  - drupal
  - open-source
cta: ~
snippet: |
  How do you vet open-source software you're thinking of adding to your project?
---

Open-source software, such as Drupal modules and themes, PHP libraries and Tailwind CSS plugins, is great.

Instead of writing everything from scratch, if someone else has written what you need, you can use it.

In the Drupal ecosystem, there's a saying - "There's a module for that!".

But, assuming you find a project that adds the functionality you need, you should review and vet it before adding it to your application.

Adding too many modules and libraries can cause performance issues, add a maintenance overhead, introduce upstream bugs and add potential security vulnerabilities.

As well as reading the code, here are some questions I ask and things I look for when deciding to add a project or not:

- Does it do what I need?
- Does it add too much functionality? Is there a more minimal version that does what I need without the extra overhead?
- Does it have a stable release? If there's only a development or alpha release (which are unstable and can break at any time), I wouldn't add it.
- Is it extendable? Can I configure or extend it if I need to add more or alter it's default functionality?
- How many other websites are using it? Websites like Drupal.org and Packagist will show usage statistics.
- How many open issues are there?
- When was the most recent commit and release?
- Does it have automated tests? If so, are they passing?
- Does it have a README.md file or other documentation?
- Who are the maintainers?
- Are they responsive to issues and accepting of outside contributions? If I find a bug, can I fix and contribute it?
- Does the project have a published roadmap?

Finally:

Do I really need it?