Use Cases

[NightLore]

1. A user wants to know the current *"attractiveness" of the dependencies in their project.
2. A user wants to know the current *"attractiveness" of the dependencies of the dependencies in their project. (transitive dependencies?)
3. A user wants to know if there are any "abnormal" dependencies (dependencies they are not aware of or did not intend to depend on?).
4. A user wants to evaluate a library to see how *"attractive" it is.
5. A user wants to see the entire dependency tree.

*attractiveness can be split into "how well maintained" and "how vulnerable" and "popularity"

[NightLore]

Well-maintained = activity (number of issues, etc.) how vulnerable => less vulnerable

[NightLore]

• More specific Scenarios: Suppose have library X, ...
• Real World Scenarios
• Come up with scenarios that help make a decision -- refer to the starter paper

[NightLore]

1. Suppose a user was considering the library Axios.js to manage their promises for accessing other APIs and wanted to know what additional dependencies Axios.js comes with. By entering into DependencyVis the organization name (axios) and the library repository name (axios), the user will immediately see that Axios.js has one dependency: follow-redirects.
2. Suppose that user wanted to see how vulnerable both Axios.js and its dependency (follow-redirect) is. By clicking on the "Audit" option under "Color" in the "Options" panel, the user will see that both the nodes are green which means that npm Audit has no vulnerability cases for the most recent version of Axios.js and the versions of follow-redirects that Axios.js relies on.

[NightLore]

3. Suppose that user wanted to see how "popular" Axios.js is. By clicking on "axios/axios" on the Sidebar on the left side of the application, the user can see that Axios.js has over 1200 watchers and over 80,000 stars. By clicking the "Stars" option or the "Watchers" option, the user can see that Axios.js has far more watchers and stars than its dependency (follow-redirects) as a reference point.
4. Suppose that user wanted to see what license Axios.js has in order to determine if the user can use it in their project. By clicking on "axios/axios" on the Sidebar on the left side of the application, the user can see that Axios.js has an MIT License which means it is a free software open for use.
5. Suppose that user wanted to see how "active" the maintainers of Axios.js are. By clicking on "axios/axios" on the Sidebar on the left side of the application, the user can see that Axios.js has over 7000 forks, over 70 open PRs, and 6 closed PRs in the past month which took an average of 19.3 days to close from when they were first created. The user can also see that the project was last updated on 2021-01-14 (Jan 14, 2021). So Axios.js has still been active in the past month.

[NightLore]

6. Suppose a user wanted to compare whether or not to use Axios.js or node-fetch as their promise library of choice for their project. By running two instances of DependencyVis and entering "axios" into both organization and repo boxes for the first instance and "node-fetch" into both boxes for the second instance, the user can compare the numbers in the sidebar to see that node-fetch has smaller numbers for every metric except number of closed PRs and PR mean time.

[NightLore]

• user inputs a repo with actual vulnerabilities and chooses a competitor over it
• user inputs their own public github repository to see excess dependencies
• user inputs their own public github repository to see what libraries have vulnerabilities
• user can make a repo that relies on both of the libraries the user wants to compare in order to compare statistics on them

[NightLore]

1. Comparing now: Suppose a user wanted to use a visualization library to manage how their graphs are drawn for their Node.js project. They found two visualization libraries: d3.js and vis.js. By running two instances of DependencyVis and then entering "d3" into both organization and repo boxes for the first instance and "visjs" into the organization box and "vis-network" into the repo box for the second instance, the user can compare the numbers in the sidebar.

2. Hope in the future (simulating adding libraries to node.js project): Suppose a user wanted to use a visualization library to manage how their graphs are drawn for their Node.js project. They found two visualization libraries: d3.js and vis.js. By entering into DependencyVis the organization and repository name of their project, the user can then add d3.js and vis.js by entering "d3" and "vis-network" respectively into "try out a dependency" box on the lower right. The user can then compare all the metrics in the options pane as well as actual numbers in the sidebar.

[NightLore]

1. Comparing now: Suppose a user wanted to use a visualization library to manage how their graphs are drawn for their Node.js project. They found two visualization libraries: d3.js and vis.js. In order to decide between the two, the user wants to determine how "attractive" the libraries are compared to each other. "Attractiveness" will be split into three categories: "how popular", "how active", and "how secure". To begin comparing, the user can run two instances two instances of DependencyVis. Then enter "d3" into both organization and repo boxes for the first instance and "visjs" into the organization box and "vis-network" into the repo box for the second instance. The user can then look at the sidebar and compare the amount of "forks" (d3: 22449, visjs: 169), "watchers" (d3: 3967, visjs: 23), and "stars" (d3: 95278, visjs: 1223) to see that d3.js appears to be more "popular" based on those 3 metrics. To compare "how active" each library is, the user can look at the "date last updated" (d3.js: 2021-01-14, vis.js: 2021-02-04), "date created" (d3.js: 2010-09-27, vis.js: 2019-07-16), and "pr mean time" (d3.js: not listed, vis.js: 0.3 days) to see that vis.js was updated more recently by a single month, d3.js is much older by 9 years, d3.js did not have any pull requests closed within the last 30 month. To compare "how secure" they are, the user can look at the visualization and select the "Audit" option to see that they do not have any npm audit vulnerabilities. Then the user can see through the graph that vis.js does not have any dependencies, but d3.js has a lot of dependencies of mostly d3 sub libraries. When clicking the load next layer button , the user can see that d3.js indirectly depends on "delaunator", "commander", "iconv-lite", and "rw". In summary the user will have to choose between d3.js which is more popular and older compared with vis.js which has fewer dependencies and more recent pull requests which might indicate more activeness.