A software dependency health checker to help you make informed decisions about adding new libraries to your codebase.
Whenever you consider adding a new software dependency, use shouldiuse.dev to evaluate it first. Software engineers frequently encounter the dilemma of whether to develop a new feature themselves or adopt an existing library. While dependencies are inevitable, ensuring their quality and ongoing maintenance is essential. Before integrating a new library, engineers should understand its maintenance status, responsiveness of maintainers, issue volume, bug-fix frequency, project roadmap, release cadence, and API stability. Once a dependency is added, it becomes a long-term commitment, which you should not take lightly. shouldiuse.dev provides a simplified score that can support you with this decision.
shouldiuse.dev combines the power of OpenSSF Scorecard, a trusted tool for comprehensive software security assessments, with metrics gathered from GitHub, simplifying and accelerating dependency evaluations. It assesses vulnerabilities, branch protection configurations, code review enforcement, dependency security, and release signing practices, assigning each repository a transparent security score aligned with industry best practices.
In addition to security, shouldiuse.dev examines maintenance health comprehensively, evaluating aspects such as active development, responsiveness to issues, frequency of releases, community engagement, number of contributors, and the quality of documentation. These insights enable engineers to confidently predict the long-term stability and viability of a project.
Technically, shouldiuse.dev operates on a robust Go backend utilizing the ossf/scorecard library for security assessments, coupled with GitHub API integration for comprehensive community data. Summaries and recommendations are partly powered by OpenAI, while PostgreSQL handles caching to deliver rapid results for subsequent queries. Users interact with the platform through GitHub personal access tokens for seamless API integration.
While initial analysis of a repository may take a few seconds, results are efficiently cached for instantaneous future access. Currently, shouldiuse.dev supports public GitHub repositories, with potential expansion to other platforms depending on user interest and demand.
Get comprehensive health insights and security analysis for any GitHub repository.
Start Analysis