Choosing the right software package for your project can sometimes feel like finding a needle in a haystack. Package registries do a great job at being comprehensive, but they can’t necessarily guide you to the best package for your project. What is a “high quality” package anyway? This is a problem the OSS community has been grappling with for some time.
We’re proud to announce the full public release of Cloudsmith Navigator. Navigator is designed to help software engineering teams select the highest quality packages early in their development lifecycle. Navigator integrates and analyses data on 40,000 of the most popular open source packages across NPM, PyPi, RubyGems and Maven, assigning each one a unique quality score based on adherence to security standards, good maintenance metrics, and thorough documentation.
Why we Built Navigator
Like most software engineering teams, we regularly look for software packages to help us get our work done. Finding and selecting the right open source package for a project is not straightforward. It's a balancing act. You need to find something that helps you get the job done, but often a package's functionality is just the starting point.
Many packages accomplish similar objectives. Some are more secure than others. Some have better documentation than others. Some are new to the ecosystem, while others are tried and tested.
The perfect package doesn't exist. We regularly wonder what constitutes a high quality package, and this is something that has been a source of discussion and debate for as long as open source software has existed.
How Navigator Helps
Navigator offers both a simple heuristic; “is the package any good?” then it backs it up with detailed information. It cuts through noise for engineering teams. We have developed our own unique perspective on what constitutes a great package. We have expressed this in three essential metrics:
- The first metric is Package Quality. This is where you'll find information about the essential security and community uptake of a package. If a package has no open CVE's, good test coverage, current dependencies, and is widely used in the open source community- it’s likely to score highly on Navigator’s quality metric.
- The next metric is designed to capture a package's Maintenance. A package will score highly if it is regularly maintained by a wide pool of contributors, underpinned by a code of conduct.
- The final metric in our Navigator scorecard describes a package's Documentation. There is nothing mysterious here, we score packages highly where they have a Readme, a documentation website, and a changelog.
Looking Beyond the Surface
Unlike any other free tool, Navigator can analyse the quality of package dependencies. If a package looks good on the surface, you really should try to understand what packages it relies on at Runtime and Buildtime. Navigator analyses these dependencies where possible, so it's never been easier to understand the trade-offs involved in consuming an OSS package.
Why Navigator is Better
For the first time, we as a team have somewhere to go where we can quickly assess package quality. It's no longer a scavenger hunt. We no longer need to overinterpret the number of stars a package has on GitHub, or trawl through multiple sources of information, just to understand if a package is documented, or currently maintained.
We think this is something that all software engineering teams will use, so we’re making it available to the community. After an initial beta in late 2023, we're happy to announce that Navigator is now ready for general availability.
Over time, we’ll add many more packages, and enhance quality scores to include real-world usage data, something that is only possible with Cloudsmith. Thanks to our cloud architecture - we have a unique understanding of the way software is built today. We’re excited to incorporate some of our unique insights into future versions of Cloudsmith Navigator.