The Dart ecosystem has more than 55,000 published packages in pub.dev. Given its growth over the last few years, understanding what packages are the most critical in the ecosystem helps in having productive conversations about the dependencies in your product. These dependencies tend to allow you to move fast by not building everything from scratch. However, it's crucial to ensure you're using packages that are actively maintained and not outdated.
We’ve gathered criticality information from packages in pub.dev and the Open Source Security Foundation (OpenSSF) database, to bring attention to Dart packages, developers, organizations, communities and projects in 2024.
What is a criticality score?
In 2020, Google under the OpenSSF (OpenSSF) released a metric named “criticality score”. The aim was to identify those influential and important projects, with a number between 0 (least important) and 1 (most important). The score is based on an algorithm designed by Rob Pike, and it considers contributors count, commit frequency and more to derive the final score of a project.
The criticality score tool measures repository criticality, not a package. We’ve only analyzed those pub.dev packages that are correctly associated with a GitHub repository and Dart repositories collected by the Open SSF database.
Why should we care about critical packages?
Knowing about critical packages in the ecosystem helps us to have productive conversations about our dependencies. The more critical a package is the more important its maintenance becomes in the ecosystem. We depend on the collective effort to ensure critical dependencies remain updated and healthy.
For example, when looking at the OSV Vulnerabilities Database, there are only nine vulnerable packages hosted in Pub. This either means Dart developers always write very good code, or there is a lack of vulnerabilities being reported.
Consider the archive package, it has a high criticality score of around 0.58. A vulnerability was reported by Mohamed Benchikh, a community member, and fixed by its maintainer Brendan Duncan. In all, it is important we notify maintainers about issues and vulnerabilities in their packages to ensure we collectively enjoy a healthier and secure Dart ecosystem; specially for those with high criticality scores.
In addition, some OSS projects are struggling for the time, resources, and the attention they need to be maintained. By identifying the critical packages in the ecosystem we connect critical open source projects we all rely on with organizations that can provide them with adequate support (as suggested by the Google Open Source Blog regarding Finding Critical Open Source Projects).
We have taken the time to do the analysis of the ecosystem and have broken it down in the following charts focused on independent publishers, organization publishers, and open source projects.
Most critical independent Pub publishers
There are many developers that independently maintain critical Pub packages. This said, all of the packages below receive the help of external contributors, in aggregate they sum up to over 1500 contributors. Thanks to this incredible collective effort these packages are being used by more than 1 million developers!
Only the repositories that are sufficiently critical (above 0.35) contribute to the total score; hence avoiding developers with numerous uncritical packages from being outliers.
Most critical organization publishers
We’re incredibly excited to see more organizations joining the Dart & Flutter ecosystem. While we are lucky enough to be near the top of the chart, other organizations including service providers and product companies are also building for the community!
Google has been excluded from the above graphic. Google itself has a total score beyond 50 (aggregate of Dart, Flutter, Firebase, and other Google services). They are by far the most critical organization in Pub!
Most critical community led publishers
Besides developers and organizations, there are communities of developers that collectively aim to improve the Dart & Flutter ecosystem. They also deserve a shoutout for their valuable collaborative contributions!
Most critical open source projects
The Open SSF database also collects information about open source projects that are not published in Pub. Since we’re at it, we’ve crunched the data about those applications with the highest criticality scores. In aggregate all these projects sum up to more than 178k GitHub stars, more than those from the Flutter repository!
Shaping the future of Pub
The number of packages published in Pub has been growing. There are around ten thousand more published packages since we looked at the distribution of licenses used in Pub packages around a year ago! This has been largely possible thanks to the thriving Dart & Flutter community. As more offerings are available we should also aim to make better decisions about the introduction and longevity of the dependencies of our products.
We expect developers to meticulously evaluate new dependencies and call out when it’s time to replace a package or offer assistance to its maintenance. Evaluating the criticality scores of such dependencies helps us do so, but we should not forget it is a metric that might not unveil the entire story of the dependency, its maintenance and existence.
We encourage developers to collaborate with the dependencies they rely on; just opening an issue is a massive help! When doing so on packages with high criticality the impact on the ecosystem is larger; nonetheless, low criticality repositories might be highly critical in the future!
Very Good Ventures has more than fifteen published packages in Pub, learn about all our tools at vgv.dev! You can also check out our GitHub to get involved and discover all our best practices and tools!
Reaching out
If you found this article helpful, don’t hesitate to share. If you would like to reach out or discuss this topic feel free to reach out personally to Alejandro via LinkedIn. If you and your team need help in understanding the criticality score of your dependencies feel free to reach out so we can help!
Written by Alejandro Santiago, illustrated by Luciano Bologna, revised by Tom Arra on September 2024