Keeping Track of Dependent Third-party Library Releases

Question

I am building a web application that is dependent upon several third-party libraries. What is a good strategy for making sure that you're always using the most fully patched versions? A simple method would be to keep the versions written down and visit the websites at regular intervals, but I am looking for some way to get the information 'pushed' to me if possible, like an aggregation service so I can see things at a glance. I figured that there might be others out there who have needed to do the same thing and have worked out a good solution.

Here are a few libraries I am using:

1. Zend Framework
2. jQuery
3. HTMLPurifier
4. Markdownify
5. InnovaStudio WYSIWYG Editor
6. Fancybox
7. MojoZoom

Answer 1

Do they have version control repositories? If so, your problem is solved by pulling from their respective VCS's.

Answer 2

You could have some sort of automated check out if they allow read only access to their source repository. It really shouldn't be to much work to target each individual one.

Otherwise mailing lists or RSS feeds may provide some 'push' style info as well.

EDIT:

What about utilizing GMail to aggregate everything? You can subscribe to mailing lists to get mail into your GMail account, subscribe into RSS feeds with Google Reader and have it notify you via GMail and then see if it's possible to subscribe to SVN updates on the repositories.

Might be more work than it's worth. ;)

Answer 3

I like to put all my projects in SVN and then use svn:externals.

Answer 4

"A simple method would be to keep the versions written down and visit the websites at regular intervals,"

Good idea.

"but I am looking for some way to get the information 'pushed' to me if possible."

Potentially a bad idea.

The issue is one of confirming mutual compatibility. Open Source software requires a huge integration effort.

You must validate each update of each third-party package against your application. Having information "pushed" to you doesn't help you do the validation or testing. It only tells you that you "should" do something. Since you can't simply drop everything and test every time something is updated, you have to do something like the following.

1. Pick a schedule. Monthly, for example.

2. Check all your packages for release notes.

3. Download updates you think might be interesting. I.e., they fix bugs you have. Or they patch security holes you didn't know you have.

4. Test.

If everything works, you have an update to your application. If things don't work, you have debugging to plan for and then do.

Answer 5

It may actually be in your best interest to simply let their versions languish until you're ready to upgrade. As a matter of course, things may change between the plug-ins (and so many, at that), that it will very likely break your app should anything change.

It would probably be best for you to upgrade your versions in a sweep with your own app's version changes. That way you can control for version changes and bugs that inherently come with them.