I usually: google relevant terms -> open a few candidates in a new tab -> go through the examples -> glance at the docs -> check the pulse and popularity -> pick the best looking lib.
Most people just pick a library they are comfortable with or they think will solve their current need. The reason this can be bad is because it leads to bloat, duplication, potential licensing issues, unneeded dependencies and honestly many times just unnecessary code being included.
When evaluating a library, the three big questions on my mind are, 1) is it absolutely 100% necessary, 2) Does it introduce any security concerns, 3) Is it actively maintained and licensed properly for my product license. A fourth question closely following is what dependencies does it also introduce to my system.
Many times going through code bases I have seen an entire library included for 1 method that could easily be replicated in code. Yes, creating your own method comes at a cost but frankly including a library and dependency is generally a larger cost over time.
I have also seen libraries included into code bases where the last update to the library was 4 years ago and it is all but dead. Sure 10k projects use it cause they included it 4 years ago but that doesn't mean it is stable, maintained and secure today. And if a library is so simple it doesn't have to be touched for 4 years, then likely I don't need to be including it from a third party (but I could see exceptions).
Lastly, license type matters a ton, developers don't think about it, but including the wrong type of open source library into a closed paid product can be a major pain and these things have to be thought out carefully to keep the company out of trouble.
Many times going through code bases I have seen an entire library included for 1 method that could easily be replicated in code.
I've seen this too. Initially, I thought it was an internal joke.
Lastly, license type matters a ton,
Probably more of a concern for established companies, startups usually don't pay much attention to this.
A fourth question closely following is what dependencies does it also introduce to my system.
This could be very time consuming for dependancy-rich libraries. At least license types can be auto inspected with a recursive tool. Dispelling security concerns would require some serious auditing.
My main criterion is whether I like the docs or not. I rarely regret picking a well-documented library but usually regret picking a poorly documented one.
Other than that, I try to pick the simplest library that does what I want. I do mean simplest as in "easiest to use", not necessarily as in "most minimal", though the two tend to correlate to some extent.
4 comments
[ 2.0 ms ] story [ 27.4 ms ] threadWhen evaluating a library, the three big questions on my mind are, 1) is it absolutely 100% necessary, 2) Does it introduce any security concerns, 3) Is it actively maintained and licensed properly for my product license. A fourth question closely following is what dependencies does it also introduce to my system.
Many times going through code bases I have seen an entire library included for 1 method that could easily be replicated in code. Yes, creating your own method comes at a cost but frankly including a library and dependency is generally a larger cost over time.
I have also seen libraries included into code bases where the last update to the library was 4 years ago and it is all but dead. Sure 10k projects use it cause they included it 4 years ago but that doesn't mean it is stable, maintained and secure today. And if a library is so simple it doesn't have to be touched for 4 years, then likely I don't need to be including it from a third party (but I could see exceptions).
Lastly, license type matters a ton, developers don't think about it, but including the wrong type of open source library into a closed paid product can be a major pain and these things have to be thought out carefully to keep the company out of trouble.
I've seen this too. Initially, I thought it was an internal joke.
Lastly, license type matters a ton,
Probably more of a concern for established companies, startups usually don't pay much attention to this.
A fourth question closely following is what dependencies does it also introduce to my system.
This could be very time consuming for dependancy-rich libraries. At least license types can be auto inspected with a recursive tool. Dispelling security concerns would require some serious auditing.
Other than that, I try to pick the simplest library that does what I want. I do mean simplest as in "easiest to use", not necessarily as in "most minimal", though the two tend to correlate to some extent.