Use Case: A developer needs to choose between multiple versions of an OSS library and wants to compare security, dependencies, and licensing information before making a decision.
Steps:
- Search for the Package
- Open JFrog Catalog and enter the package name.
- View all available versions of the package.
- Compare Package Versions
- Click on the Compare Packages button.
- Select multiple versions of the same package (or compare entirely different packages).
- Review the differences in:
- Vulnerabilities – Are there security risks in newer versions?
- Dependencies – Does one version introduce risky dependencies?
- License Type – Does one version have a more permissive license?
- Make an Informed Decision
- If a newer version has fewer vulnerabilities and a compatible license, recommend upgrading.
- If security risks exist, discuss patching options or consider alternative OSS packages.
- Integrate Secure OSS into the Build Pipeline
- Once the best package is selected, update your dependency manager (e.g.,
package.json,pom.xml,requirements.txt). - Document the rationale for selecting the package to support compliance audits.
- Once the best package is selected, update your dependency manager (e.g.,