|
|
|
|
|
|
by gitgud
2186 days ago
|
|
|
Thanks for the response, that's an interesting way to deal with it. How do you verify a dependency? Do you literally examine the source code? Make sure the build is reproduced? or just the meta data? (downloads, stars) has the portfolio actually prevented any vulnerabilities? It's pretty common for JS projects to have thousands of transitive dependencies, I'm not sure keeping a private portfolio is much use. The entire open-source ecosystem is built on the foundation of trust, if I use a package that's being used by 500 other packages, I can have a high degree of certainty that the package is safe, and by locking the dependencies with yarn.lock I can prevent sneaky updates from entering the system. Anyway maybe I'll look into the dependency portfolio, see how it goes. |
|
|
> How do you verify a dependency? Do you literally examine the source code?
Yeah. It's part of the overhead of using the software. You also look at the history of bugs and how they were handled.
> It's pretty common for JS projects to have thousands of transitive dependencies
Yeah, I know, and it's bonkers IMO.
> The entire open-source ecosystem is built on the foundation of trust
In practice, yes, but in theory, no. The whole idea is that you get to see the code you're running, because the guys who wrote it are clowns. Free Software started when RMS wanted to fix his printer and Xerox said, "No."
> if I use a package that's being used by 500 other packages, I can have a high degree of certainty that the package is safe
I think history has shown that that reasoning is at best probabilistic, eh? You're gambling.
Now, of course, there are limits. Some things get a pass. Do we audit the source of the bash shell? No, despite the fact that it's maintained by a single volunteer.
> Anyway maybe I'll look into the dependency portfolio, see how it goes.
Check out that "Hollywood Secrects" book I mentioned.