JS Foundation chooses FOSSA as the Open Source License Cert. Provider

Featuring: Kris Borchers, Executive Director

The JS Foundation (home of ESLint, jQuery, Mocha, webpack and more) supports the critical infrastructure that runs 75% of the top one million websites in the world.

Developers rely on a growing portfolio of open source technologies to create, test and deploy applications. By creating a center of gravity for the open source JavaScript ecosystem, the JS Foundation’s mission is to drive broad adoption and ongoing development of key JavaScript solutions and related technologies.

The JS Foundation is the home for critical JavaScript infrastructure that powers the web. They host 28 projects that power over 75% of the top one million websites in the world, and billions of worldwide users / developers. Key projects include ESLint, jQuery, Lodash, Mocha and more.

We aim to be the driving force for application developers in the standards of the language that runs the web.

The Challenge

A unique feature of the JavaScript ecosystem is its liberal culture of code-sharing. Even small JavaScript projects are known for notoriously pulling in thousands of 3rd-party dependencies.

It’s impossible to keep track of JavaScript dependencies manually… OSS is a huge part of business now.

One of the main services the JS Foundation provides is legal oversight for its projects, which is uniquely challenging in JavaScript where code is shared so liberally. Nearly every web business depends on open source JavaScript libraries, and the JS Foundation must ensure that this infrastructure is safe. “We want to make sure we are protecting our projects from a legal standpoint ... there are so many dependencies to review even within one project, let alone 28 of them. We cannot afford to pay a lawyer to go through every single dependency across every project.”

Compliance certification is critical for the JS Foundation to accomplish, as many of the JSF projects power the web: “If we’re not doing our due diligence to assure the users of our projects that they are safe to use, there’s potential for major business risk.” If a major issue were to slip through the cracks, millions of users could be impacted. With the JSF housing the web’s critical supply chain, the long-term sustainability of the JavaScript ecosystem hinges on its success.

Enter FOSSA

The JS Foundation needed a reliable, trusted and automated way to monitor, manage and maintain license compliance / dependency tracking across the JSF’s major projects that would also allow each project to maintain its autonomy.

FOSSA works on a continuous basis; scanning all source files in a project and its dependencies for license violations. It can integrate with the development workflow, automatically triggering Slack notifications, blocking Pull Requests that bring in dependencies with incompatible licenses, and generate attribution reports with raw copyright headers to certify releases with compliance standards. FOSSA makes compliance easy and automated for developer teams to scale.

Real results were detected within minutes from the initial evaluation which established trust early on and was a key factor during the selection process. FOSSA’s ability to integrate seamlessly into the developer workflow also made FOSSA the clear choice.“The ability for developers to adopt it naturally and choose it as part of a toolchain is awesome. We can enforce JSF policies in the same place too which is great for increasing our visibility across all projects.”

Deployment

Kris spearheaded the FOSSA deployment and chose to start with basic license checks across the main group of repositories for its major projects. The first step was to identify a project maintainer for each project to be set-up with a FOSSA account. Following the account set-up, each project maintainer was given the ability to enable per-commit scanning, integrations with their CI systems, or even Pull Request comments to run potential contributions against licensing standards. From start to finish, the initial deployment was kicked off in minutes, with a full deployment rolled out organically within the week.

Deployment Summary To-Date:

• 24 license-certified projects and active teams
• Over 2000 components actively tracked, scanned, analyzed
• Release badges and certifications rolled out across public-facing homepages / documentation

We found real results with FOSSA quickly. For example, there was one instance where we found misleading metadata which looked like GPL code. Because the issue was flagged, we were able to get ahead of it and resolve the issue before it turned into anything major.

Benefits Summary

Implementing FOSSA lessened the burden of manual tracking across both Legal and Development teams through automated and continuous license compliance scanning. More importantly, FOSSA certifications were proven to run with audit-grade detail, and has therefore instilled a sense of trust that real issues are being tracked, monitored and flagged.

Knowing FOSSA is protecting our projects has been the biggest value to us. It would take hundreds of man hours to comb through every dependency across every project.

FOSSA was built by developers for developers, ensuing a developer-friendly environment that has led to organic adoption across the JS Foundation, and is currently running on 24 of its 28 projects. “We’ve had a great experience using FOSSA and have increased visibility across multiple projects. As a result, we’ve discovered potential issues that our project leaders and development teams have been able to get ahead of and correct. Knowing and understanding the circumstances of what FOSSA has found has instilled a lot of trust and is why FOSSA has become the baseline license compliance certification provider for the JS Foundation.”

Final Thoughts

The JS Foundation will continue to recommend FOSSA for license compliance and dependency tracking across the JSF as new projects and project leaders are on-boarded. According to Kris:

“Every Open Source organization should implement license & dependency tracking. Based on our experience, we would recommend FOSSA to organizations that have large projects or lots of on-going projects. And especially if you’re using JavaScript.”