Third party libraries

Stay organized with collections Save and categorize content based on your preferences.

Using third party code in Google projects.

Should I use third party code?

Using third party code can significantly reduce development time and offer a better experience for our users. Utilizing third party code is encouraged but the decision to use third party code should be made with caution. Before deciding on using a particular library, please consider these things:

  • is this library widely used by the team?
  • does one of our standard libraries offer similar benefits? For example, usage of another framework library would be discouraged since the team has already widely adopted AngularJS and Closure.
  • how many contributors does the library have? is it well maintained?
  • is it long lasting? is it widely used?
  • is it well documented?
  • is it already checked into third party?
  • has it been approved by Open Source Program Office?
  • has it been approved by security team?
  • is it already hosted on one of our CDNs?
  • you will be responsible for keeping the library up-to-date in google3. This is necessary for security reasons.

Third party code must be checked into google3/third_party and cannot be checked into any other location (such as in your git on borg repo or templates directory).

Approval process

If a third party library is not checked into google3, the process can take several weeks. Usage of a third party library requires the following approvals:

Open Source Program Office - Contact opensource-licensing@google.com with details and links to the code and license info. If the library is already checked into google3, you can skip this step.

  • Legal - Fill out go/simba.

    • Create a "Misc. matter"
    • Use "Brand Marketing" for product area
    • In "Other parties" enter the name of the company you want to license from
    • In "General notes" describe the project and note you if you've already received approval from the Open Source team
    • In "Matter type" choose "New"
    • In "Agreement type" choose "Other - other" or "Other - open source"
    • If you have the license, attach it under "Add document"
    • If you have questions, find the appropriate contact at go/whoismylawyer. (Most likely it's under "Marketing").
    • They will contact you with additional questions or approval
  • Security team - ise-team@google.com

  • Once approved, you can purchase the license with a gCard

Please read the third party documentation for more information on adding third party libraries.

Third party javascript is not typically compiled in with your project's production code. Instead, please host it on our gstatic CDN. See go/thirdpartyjavascript.

Library CDNs

Third party libraries are usually hosted on gstatic (see below) or the public Google Hosted libraries CDN.

gstatic CDN

Unlike the Google Hosted Libraries CDN, the gstatic CDN is intended as a private CDN for Google projects. It's a BUILD file configuration to pull sources from google3/third_party and serve them on a cookie-less static content server for improved performance.

We host third party code on gstatic rather than compiling with our source because: - gstatic is fast and reliable - it's easier for us to identify usage of third party code - it's easier to keep up to date with security patches - it's easier to use - it retains licensing information

However, it is ok to compile third party code with your source as long as it conforms to third party policies (e.g. compiled code retains licensing information, received necessary approvals, etc).

Take a look at the gstatic external hosted BUILD file to see a complete list of which libraries are hosted on our gstatic cdn. The URL for accessing these libraries is

//www.gstatic.com/external_hosted/<destdir>/<files>

For example,

//www.gstatic.com/external_hosted/modernizr/modernizr.js

If you want to add a new library, see How to add libraries to the gstatic CDN

Removing/upgrading a third party lib

Audit usage

Use this dremel query to audit hit count. Be sure to revise the query as follows:

revise LIKE with the path to the gstatic lib you want. It should end in % as the logs sometimes include additional metadata after the path.

revise BETWEEN dates below to recent dates. Don't include today's date because logs don't yet exist for it. If possible, include weekdays in your audit as these have higher traffic.

$ dremel

dremel > SET sql_dialect GoogleSQL;
dremel > select
    REGEXP_EXTRACT(StaticContentServiceExtension.row_key, "^([^:]*)(?::.*)$") as `rk`,
    SUM(greatest(1, samplingratedenom, effectivesamplingratedenom)) as `total`,
    SUM(1) as c
from gfstmp_static_content.tmp_weblog.all
WHERE _PARTITION_DATE BETWEEN "20190201" AND "20190207" AND
   StaticContentServiceExtension.row_key LIKE "/external_content/gstatic/external_hosted/normalize/normalize.css%"
    AND responsecode=200
group by rk
order by total desc;

As a sanity check, you may wish to run a query against a popular lib that you know will produce lots of hits.

If there's no traffic, you can safely remove the lib from gstatic.

If you see lots of traffic, it might be helpful to see which sites pull in the lib. Here's a query to get referrals. Again update LIKE and BETWEEN.

dremel > select
   referer as `r`,
    sum(greatest(1, samplingratedenom, effectivesamplingratedenom)) as `total`,
    sum(1) as c
from gfstmp_static_content.tmp_weblog.all
where
    _PARTITION_DATE BETWEEN "20190203" AND "20190205" AND
    StaticContentServiceExtension.row_key LIKE "/external_content/gstatic/external_hosted/normalize/normalize.css%"
group by r
order by total desc;

Updating sites using the old lib

If the lib is popular, it may be unrealistic for you to upgrade or remove sites referencing the lib. Work with Mahesh and Cybage team to audit sites and upgrade the sites or remove their usage of the third party lib.

If you're doing an upgrade, add the new version of lib to gstatic at a new url (preferrably with the version number in the url) without removing old one temporarily to fascilitate upgrading. It is acceptable to have multiple versions in third party to fascilitate the upgrade process.

Using CDNs

You'll most likely be using the Closure Compiler to compile your site's javascript. Since the source for the third party code is not included with your code, you'll need to provide type information about the third party library to the Closure compiler. See the Compiling: Using third party code documentation for more details on how to do this.