A Git organisation dependency analysis tool

Problem statement

Not every large organisation employs large monorepos like Google, Facebook, and Microsoft do. Many clients I have consulted for have many repositories in their repository management platform (often GitHub, GitLab, or BitBucket). Such multirepo setups sometime make the organisation's "codebase portfolio" and its dependencies opaque to the developers and the management.

This can complicate version management. Sometimes we need a list of all apps and libraries that are dependent on a specific version of a library (e.g. the Log4j "Log4Shell" vulnerability). Or the core team did an update of one of the base libraries, and we need to know which apps are dependant on this library. Or we simply want a list of all applications in our organisation.

Most repository management software already provides some tools out of box for analysis, but these can be quite limited in scope.

Concept

Introducing an idea for a simple tool for performing such analysis, along with a minimal implementation using Node.js, for GitLab organisations...

The idea is to read the projects API of the repository management software. For each project, read the package.json file (if it exists) of the default branch - because when developing the tool I was mainly interested in frontend and Node.js projects. Next, the dependencies are read, and this data is populated in a local Neo4j instance. Finally, we can run Cypher queries on our repository and dependency graph:

A simple idea, but quite powerful, I've found.

In the quick Node.js script I've written, only GitLab is supported because I happen to have two clients using GitLab. API docs can be found here: GitLab Projects API

The code can be found here.

Disclaimer: this is not a finished and polished product. Rather, it is a script I've written quickly that helps me during my day-to-day work as a consultant for various companies, and would like to share with the world.

Photo credit: Alina Grubnyak