deddit.petersanchez.com

We should all be using dependency cooldowns (blog.yossarian.net)
from BlackEco@lemmy.blackeco.com to programming@programming.dev on 25 Nov 14:01
https://lemmy.blackeco.com/post/2368195

#programming

threaded - newest

GammaGames@beehaw.org on 25 Nov 14:27 next collapse

Been using renovate a while, 42 added this as a default!

minimumReleaseAge: 3 dayswill now be set by default for npm in config:best-practices

dohpaz42@lemmy.world on 25 Nov 14:57 next collapse

Color me curmudgeon, but automated dependency updates should never be a consideration.

Also, one thing I do like that Github does is that it can be configured to send you a report of dependency changes (in yarn, for example).

folekaule@lemmy.world on 25 Nov 16:23 next collapse

Pinned (major.minor.patch) versions and ignore-scripts should be the default. It’s insane that the default is to execute untrusted code from the Internet.

It reminds me of back when IE would let me download a bat file and execute it

/Getoffmylawn

Ephera@lemmy.ml on 25 Nov 23:19 collapse

I mean, modern package managers generally now come with lock files, which effectively auto-pin your dependencies, until you trigger a dependency update.

And while it isn’t bullet-proof, it does result in you effectively having a dependency cooldown most of the time. You’re only vulnerable, if you trigger the dependency update while the compromised dependency release is public.

Obviously, this can be bad enough, but it does also mean that an ecosystem with lock files is far less attractive to target with a supply-chain attack, since far fewer hosts will get compromised on average.

elgordino@fedia.io on 25 Nov 17:53 next collapse

pnpm has minimumReleaseAge https://pnpm.io/settings#minimumreleaseage

MonkderVierte@lemmy.zip on 25 Nov 19:45 next collapse

“cooldown” is exactly what it sounds like: a window of time between when a dependency is published and when it’s considered suitable for use. The dependency is public during this window, meaning that “supply chain security” vendors can work their magic while the rest of us wait any problems out.

[deleted] on 26 Nov 02:12 collapse

Vulwsztyn@programming.dev on 26 Nov 15:00 next collapse

That’s not a good idea

Disregard3145@lemmy.world on 26 Nov 19:28 collapse

Most of the supply chain vulnerabilities I’ve seen published and talked about lately have been trying to do things like exfiltrate keys/secrets from developers, including ci.

So of you’ve got a pr open with the vulnerable package update on it then you’ve goofed. Even potentially without merging if you’ve not got ci set up very securely, which is probably more common than we’d like to admit