Deprecated Libraries

 I just did a post on GraphQL. And the reason I'm looking into it is because it is a technology we are evaluating at work. And we are evaluating that technology over concerns about the supportability of OData.

And, I think that this is somewhat justifiable. But, more on that in a moment.

In the same vein we appear to be considering replacements to KnockoutJS for the same reasons. And now I'm getting genuinely concerned that we've lost all rational thought.

I can't honestly say I was involved in the choice to adopt KnockoutJS. Nor can I say I feel it is better or worse than alternatives. But, I can say I'm not overly concerned about it becoming an abandoned project. And this isn't because I think it won't happen. In fact, it may have already happened.

Why I'm not concerned comes down to 2 things; the scope of the project and the dependencies.

With OData there is concern because it is highly coupled with .Net itself and .Net Core 3.0 brought rather massive breaking changes and left OData unusable on the Platform for months after .Net Core 3.0 was finalized. You can see how that might be cause for concern. You can wait and hope (for an unknown amount of time) for a final release, you can stay on a version of .Net Core which will lose support sooner, or you can take on beta or even alpha code.

Between those options, it is actually quite hard to decide which is the most impactful.

But, with KnockoutJS, JQuery is the only other dependency to be concerned about. And since it is primarily handling component rendering and data binding, you can add extra code around it to accommodate for vulnerabilities if there is somehow a way for them to become a threat.

Put another way, I'm actually a lot more comfortable with KO becoming out of date than I would be if we were using something like Angular or another much more all encompassing framework. And then, I have additional concerns. Changes in those frameworks can lead to massive code rewrites just to stay up to date. So, you can end up just as worried about a project going stale as you can be about it not.

To me, KnockoutJS is a low threat decision, where OData is a much higher threat. OData has other dependencies which may need to be kept more or less in sync for things to work. And many of those dependencies could easily be app critical. Knockout by contrast is at some risk due to its dependency on JQuery. But, it is a fairly safe library and KO is open source under the MIT license, so possibilities exist to patch it manually if needed.

My point isn't to talk about specific libraries though. It is more to make a point about dependencies in general. It is really more that we need to be a little more open in considering the real world threat of a project being abandoned or not providing timely updates.

Frameworks like KnockoutJS are minimally invasive and not affected much by the changes around it. I'd place bets against it remaining viable for years after the death of the project. Something like OData on the other hand? It is what is exposing my services to my applications. If the Platform and everything else were up to date at the point it was abandoned and there were no serious vulnerabilities discovered shortly thereafter you could probably feel good for a few months, and maybe push it for a year or two. But, if the underlying Platform moved on and made breaking changes you could quickly find yourself in violation of contracts if you need to maintain certain levels of security certification. 

And, I'm not super concerned about OData specifically. But, something with the sort of impact OData has would definitely be on my radar of projects to be concerned about.