Two Stages of Your Relationship
Pre- and Post-Consumption
Before we begin, it’s important to acknowledge that there are two stages in your relationship to open-source components.
The first stage is pre-consumption, when you “go shopping” for a component that satisfies a specific need in your app. The second stage is post-consumption, when the component is incorporated into the app and appears in a build.
Each stage has its own set of best practices. Broadly speaking, pre-consumption best practices are about comparing a component’s usefulness to its quality and level of risk. Post-consumption best practices are about mitigating existing risk and weighing the costs and benefits of your remediation options.
Your instinct might be that apps are often in both stages at once. In fact, the breakneck pace of modern software development and the emphasis on CI/CD means that apps are usually in both stages for a generous portion of their lifetime.
Managing your risk effectively means addressing both stages. Focusing on the pre-consumption stage exclusively is a bad strategy because there is no such thing as a risk-free component. No strategy can totally prevent component risk. Conversely, focusing on the post-consumption stage exclusively is also a bad strategy because the quickest, most scalable way to reduce your risk is to select better components from the start. Post-consumption strategies always have a higher cost than their pre-consumption counterparts.
Start With Post-Consumption Best Practices
This content is focused on providing best practices for components that you’ve already consumed. That’s because, if you’re just getting started, post-consumption best practices are the most effective use of your time.
Sometimes, the only correct pre-consumption strategy is to accept the risk, use the component, and commit to remediating the risk later. The remediation process is something you’ll codify when discussing post-consumption best practices, so it makes sense to focus your efforts there first.
Additionally, in the same way that your teeth need to be brushed every morning and night, you’ll always need to think about the open-source component risk in your applications. It’s inevitable; components are just too useful not to use! And no amount of caution, skill, tooling, or hard work can prevent components from bringing risk into your app.