What story does your dependency tree tell you about your organisation?

With dependency-management-data (DMD)

Jamie Tanna (https://www.jvt.me)
Senior Software Engineer @ Elastic

/usr/bin/whoami

Timeline of events

  • 2025-07: This tutorial!
  • 2023-07: First public talk
  • 2023-02: Created the dependency-management-data project
  • 2022-08: First iteration with Dependabot
  • 2019: "Formally" considering it
  • 2017: Hacking around

Tutorial structure

  • Slides: This initial blurb
  • Interactive: Grab some data
  • Slides: What is DMD?
  • Interactive: Using the raw data
  • Slides: Enriching dependency data
  • Interactive: Using the enriched data
  • Slides: Some ideas of what you can build on top of this
πŸ™ please give feedback on how this can be improved!

Audience participation (sorry!)

  • Who is familiar with SQL?
  • Who actually likes writing SQL?
  • Who has a laptop?
  • Who is looking to run this against their own projects i.e. for their work?
  • Who has familiarity with these sorts of insights?

Getting data

Β deps-fyi/gophercon-uk-2025

Psst - no laptop?
Check out https://dmd-gophercon2025.netlify.app/

Why is it important?

As I wrote in the post Analysing our dependency trees to determine where we should send Open Source contributions for Hacktoberfest

But it's not always 🌞🌈

xkcd comic showing a tower of various layers of boulders and stones, labelled "all modern digital infrastructure", which looks a little precarious. Towards the bottom there is a slim load-bearing stone which is labelled "a project some random person in Nebraska has been thanklessly maintaining since 2003"

Being able to understand how your business uses Open Source is really important for a few other key reasons:

  • How am I affected by that dependency migrating away from Open Source?
  • Usages of unwanted libraries
  • Understand usage of libraries and frameworks, and their versions
  • Discovering unmaintained, deprecated or vulnerable software

Being able to understand how your business uses Open Source internal software is really important for a few other key reasons:

  • How am I affected by that dependency migrating away from Open Source?
  • Usages of unwanted libraries
  • Understand usage of libraries and frameworks, and their versions
  • Discovering unmaintained, deprecated or vulnerable software

Other insights into:

  • How maintained does the dependency appear to be?
  • How are the dependency's supply chain security practices? (via OpenSSF Security Scorecards)
  • How many dependencies are actively seeking financial support?

What is dependency-management-data?

Dependency Management Data (DMD) - dmd.tanna.dev

What's in the project?

  • The outputted SQLite database
  • The command-line tool dmd
  • The web application dmd-web, and the GraphQL-only web application dmd-graph
  • (Your SQLite browser of choice)

SQLite database

  • Conveniently distribute, share
  • Great for local-only or building applications on top of it
  • No lock-in to dmd - all state synced to the DB

What can you do with the raw data?

dmd db init --db dmd.db
#
dmd import ...
dmd import ...
# πŸŽ‰

No laptop?
dmd-gophercon2025.netlify.app/2_querying_data/

More insights need more data

via GIPHY

Getting additional data:

dmd db generate --db dmd.db advisories
dmd db generate --db dmd.db dependency-health
# πŸŽ‰

No laptop?
dmd-gophercon2025.netlify.app/2_querying_data/

Getting started

# produce some data that DMD can import, i.e.
npx @jamietanna/renovate-graph@latest --token $GITHUB_TOKEN \
  your-org/repo another-org/repo
# or for GitLab
env RENOVATE_PLATFORM=gitlab npx @jamietanna/renovate-graph@latest \
  --token $GITLAB_TOKEN your-org/repo another-org/nested/repo

# set up the database
dmd db init --db dmd.db
# import renovate-graph data
dmd import renovate --db dmd.db 'out/*.json'
# then you can start querying it
sqlite3 dmd.db 'select count(*) from renovate'

https://dmd.tanna.dev/cookbooks/getting-started/

Resources