aragon-cli icon indicating copy to clipboard operation
aragon-cli copied to clipboard
verified publisher icon aragon

Consider dropping tiny dependencies

Open dapplion opened this issue 6 years ago • 3 comments

💥 Proposal

Every NPM dependency introduces a security risk where we must trust that the current (and future) maintainers will not inadvertently introduce hazards to Aragon CLI users. Since this code can potentially manage value, it's worth considering the risk. Past NPM dependency attacks have targetted poorly maintained packages with a lot of users, but the next target could be smaller packages.

Below is a list of packages that are so simple that they could be implemented locally or at least force a specific version.

  • "git-clone": "^0.1.0": 1-5 lines of code
  • "dev-null": "^0.1.1": ~10 lines of code
  • "go-platform": "^1.0.0": ~10 lines of code
  • "get-folder-size": "^2.0.1": Could be removed, IPFS has an API endpoint ot check the repo size
  • "engine-check": review too

Also, note that the legacy and new IPFS clients are dependencies.

"ipfs-api": "^26.1.2",
"ipfs-http-client": "^39.0.2",

dapplion avatar Nov 24 '19 11:11 dapplion

Yes, highly highly agreed on both!

sohkai avatar Nov 25 '19 19:11 sohkai

Same can be said about engine-check.

kernelwhisperer avatar Dec 05 '19 12:12 kernelwhisperer

Same can be said about engine-check.

Good catch! Adding it

dapplion avatar Dec 05 '19 15:12 dapplion