-
Notifications
You must be signed in to change notification settings - Fork 3
Web development tools
The following is a list of basic development tools all engineers at ODI use daily
| Tool | Company | Cost | Purpose |
|---|---|---|---|
| Visual Studio | MicroSoft | Free | Code editor |
| GitHub | MicroSoft | Free for Open Source repositories | Code version control/Build pipelines |
| npm | MicroSoft | Free for Open Source packages | Open source code package registry |
| Pantheon | Pantheon, Inc. | $50/month | Managed WordPress host |
| AWS | Amazon | Cost based on usage | Cloud platform |
We use these on a mac but they can be accessed from any OS. Developers need the ability to change permissions on directories and perform command line operations with sudo permissions so that you can run npm install and git operations.
Writing code always involves risk. Choosing to depend on heavily used open source tools mitigates because the code is available for inspection and many organizations have reviewed it to make sure it meets their security requirements.
Installing and managing open source code packages is a routine process developers need to manage in order to be productive. Packaged dependencies need to be:
- Version locked so installs are reproducible and there are no unexpected upgrades
- Teams need to be notified of dependency updates and any new security vulnerabilities
The ODI team's web services depend on several open source npm packages. We use the following tools and processes to maintain the codebase:
- We use the package-lock file provided by default in recent versions of npm to lock dependency versions to a code release
- We enable dependabot on our github repositories so that we are notified automatically of any security vulnerabilities that have been discovered and patched.
- The npm audit command is run manually to pinpoint any vulnerabilities.
- npm now owned by Github which is owned by Microsoft proactively monitors packages for security vulnerabilities and will remove package versions from the library if major security compromises are uncovered.
- The CodeQl tool available from github is also a helpful code auditing tool we've integrated into some of our repositories. This reviews code that is part of a repository including all code written by the team and any open source package dependency. It will flag possible security vulnerabilities that could cause problems in production environments. The github repository CodeQl audits can be run as git actions.
We use WordPress headlessly for several sites including https://covid19.ca.gov, https://cannabis.ca.gov, https://drought.ca.gov, https://innovation.ca.gov.
We also sometimes use markdown directly on github for really simple content management. We do this on https://designsystem.webstandards.ca.gov/
We are continually experimenting with different CMS tools. There are many options that are flexible enough to allow us to leverage the same decoupled patterns so we have full control over all the code delivered to site visitors on the frontend.