Introducing Package Dependency tracking in Compass

After integrating Compass with their repository to track development events and metrics, customers look for more detailed information about their components within Compass.

One common request we hear is for the ability to track package dependency version information for their Compass components.

Having this data easily accessible in Compass can really help users by allowing them to:

• Run campaigns to help migrate to newer versions.

• Get insights into the percentage of components using specific versions, like 1.0 or 2.0, of a dependency.

• Be more aware of components or repositories that haven’t adopted a required version.

Package Dependency Data in Compass

To enable this, we’re in the process of releasing a new Compass feature called Package Dependencies.

In this initial beta release, we introduced the ability to view package version information for a component, specifically for NPM packages. This feature allows users to view a comprehensive list of packages that a component depends on, accessible from the component page. This information comes from package-lock.json files submitted to Compass via the REST API or synced via an SCM app.

In addition, developers can also review the list of components dependent on a specific package. This functionality provides a lightweight scorecard-like mechanism for stakeholders to gain a global view of version usage, enabling informed decisions and strategic planning.

Use package dependencies in scorecards

You can use package dependencies as criteria in Compass scorecards to make sure your components are using approved or up-to-date package versions. This is crucial for maintaining consistency, security, and compliance across your projects.

How to use package dependencies as scorecard criteria:

1. Create or edit a scorecard:
   Go to Compass and select Scorecards from the main menu. Choose to create a new scorecard or edit an existing one.

2. Add package dependency criteria:
   When defining scorecard criteria, select Package version as the criteria type.

3. Set conditions:
   Specify the package manager and package name and set the version condition (for example, greater than, less than, or equal to a specific version).

4. Apply and monitor:
   Save the scorecard and apply it to relevant components. Compass will automatically evaluate components against these criteria, helping you identify which components are not compliant with your package version policy.

Getting Started

After you connect a code repository from either Bitbucket, GitHub, or GitLab, Compass automatically scans for associated package dependencies in the background, then displays them within each component’s sidebar.

Alternatively, you can submit a lockfile via the REST API: navigate to the Package Dependency tab for a component. and click the Upload package depencencies button. This will display customized instructions for submitting a lockfile via the REST API.

Right now, Compass supports package-lock.json files only, but we’ll add more in the future.

Looking Ahead

As we continue to refine and expand this feature, our next steps include:

1. ✅ automating the fetching of lock files from repositories (via the (via the Bitbucket for Compass, GitHub for Compass, and GitLab for Compass apps)

2. ✅ enabling package-dependency-based scorecard criteria, and

3. 🔜 supporting more file formats/package managers

We invite you to explore these new capabilities and share your feedback here. Your insights are invaluable as we strive to enhance the functionality and usability of Compass. Stay tuned for more updates as we progress through the remaining milestones!