Using third party code in Google projects.
Should I use third party code?
Using third party code can significantly reduce development time and offer a better experience for our users. Utilizing third party code is encouraged but the decision to use third party code should be made with caution. Before deciding on using a particular library, please consider these things:
- is this library widely used by the team?
- does one of our standard libraries offer similar benefits? For example, usage of another framework library would be discouraged since the team has already widely adopted AngularJS and Closure.
- how many contributors does the library have? is it well maintained?
- is it long lasting? is it widely used?
- is it well documented?
- is it already checked into third party?
- has it been approved by Open Source Program Office?
- has it been approved by security team?
- is it already hosted on one of our CDNs?
- you will be responsible for keeping the library up-to-date in google3. This is necessary for security reasons.
Third party code must be checked into
and cannot be checked into any other location (such as in your git on borg repo
or templates directory).
If a third party library is not checked into google3, the process can take several weeks. Usage of a third party library requires the following approvals:
Open Source Program Office - Contact email@example.com with details and links to the code and license info. If the library is already checked into google3, you can skip this step.
Legal - Fill out go/simba.
- Create a "Misc. matter"
- Use "Brand Marketing" for product area
- In "Other parties" enter the name of the company you want to license from
- In "General notes" describe the project and note you if you've already received approval from the Open Source team
- In "Matter type" choose "New"
- In "Agreement type" choose "Other - other" or "Other - open source"
- If you have the license, attach it under "Add document"
- If you have questions, find the appropriate contact at go/whoismylawyer. (Most likely it's under "Marketing").
- They will contact you with additional questions or approval
Security team - firstname.lastname@example.org
Once approved, you can purchase the license with a gCard
Please read the third party documentation for more information on adding third party libraries.
Third party libraries are usually hosted on gstatic (see below) or the public Google Hosted libraries CDN.
Unlike the Google Hosted Libraries CDN, the gstatic CDN is intended as a private
CDN for Google projects. It's a BUILD file configuration to pull sources from
google3/third_party and serve them on a cookie-less static content server for
We host third party code on gstatic rather than compiling with our source because: - gstatic is fast and reliable - it's easier for us to identify usage of third party code - it's easier to keep up to date with security patches - it's easier to use - it retains licensing information
However, it is ok to compile third party code with your source as long as it conforms to third party policies (e.g. compiled code retains licensing information, received necessary approvals, etc).
Take a look at the gstatic external hosted BUILD file to see a complete list of which libraries are hosted on our gstatic cdn. The URL for accessing these libraries is
If you want to add a new library, see How to add libraries to the gstatic CDN
Removing/upgrading a third party lib
Use this dremel query to audit hit count. Be sure to revise the query as follows:
LIKE with the path to the gstatic lib you want. It should end in %
as the logs sometimes include additional metadata after the path.
BETWEEN dates below to recent dates. Don't include today's date
because logs don't yet exist for it. If possible, include weekdays in your audit
as these have higher traffic.
$ dremel dremel > SET sql_dialect GoogleSQL; dremel > select REGEXP_EXTRACT(StaticContentServiceExtension.row_key, "^([^:]*)(?::.*)$") as `rk`, SUM(greatest(1, samplingratedenom, effectivesamplingratedenom)) as `total`, SUM(1) as c from gfstmp_static_content.tmp_weblog.all WHERE _PARTITION_DATE BETWEEN "20190201" AND "20190207" AND StaticContentServiceExtension.row_key LIKE "/external_content/gstatic/external_hosted/normalize/normalize.css%" AND responsecode=200 group by rk order by total desc;
As a sanity check, you may wish to run a query against a popular lib that you know will produce lots of hits.
If there's no traffic, you can safely remove the lib from gstatic.
If you see lots of traffic, it might be helpful to see which sites pull in the
lib. Here's a query to get referrals. Again update
dremel > select referer as `r`, sum(greatest(1, samplingratedenom, effectivesamplingratedenom)) as `total`, sum(1) as c from gfstmp_static_content.tmp_weblog.all where _PARTITION_DATE BETWEEN "20190203" AND "20190205" AND StaticContentServiceExtension.row_key LIKE "/external_content/gstatic/external_hosted/normalize/normalize.css%" group by r order by total desc;
Updating sites using the old lib
If the lib is popular, it may be unrealistic for you to upgrade or remove sites referencing the lib. Work with Mahesh and Cybage team to audit sites and upgrade the sites or remove their usage of the third party lib.
If you're doing an upgrade, add the new version of lib to gstatic at a new url (preferrably with the version number in the url) without removing old one temporarily to fascilitate upgrading. It is acceptable to have multiple versions in third party to fascilitate the upgrade process.