action icon indicating copy to clipboard operation
action copied to clipboard
verified publisher icon devcontainers

Did all dependencies been reviewed for security?

Open hellodword opened this issue 1 year ago • 2 comments

For example, I noticed there're two jsonc related dependencies:

https://github.com/devcontainers/action/blob/a1930bf7eb60408bbfd6e201d88e33cdec41a25e/package.json#L34 https://github.com/devcontainers/action/blob/a1930bf7eb60408bbfd6e201d88e33cdec41a25e/package.json#L46

The one in the devDependencies was published 5 years ago, and maintained by 1 developer.

I know it's not been used in the source code yet, but I'm curious about how the supply chain security works there.

Thanks :)

hellodword avatar Feb 15 '24 07:02 hellodword

Hi 👋

Generally, we depend on the Dependabot alerts to patch security vulnerabilities for the npm package dependencies. Also, we had reviewed the dependencies when we created this repository (~ like two years ago)

The one in the devDependencies was published 5 years ago, and maintained by 1 developer.

This ^ definitely won't be caught by it.

I wonder if we should start doing a bi-monthly security review or engage some tooling to help us with it. Any ideas are appreciated. @bamurtaugh @craiglpeters Looking for your insights 👀

samruddhikhandale avatar Feb 24 '24 00:02 samruddhikhandale

Thanks!

This ^

I'm not expert of npm, but I guess it's not secure for important projects:

  • https://github.com/vuejs/vue-cli/issues/7054

...even locked:

  • https://github.com/vuejs/vue-cli/issues/7051#issuecomment-1072246151

Also, "unused dependency" may insecure, see ignore-scripts on https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_Cheat_Sheet.html

hellodword avatar Feb 24 '24 05:02 hellodword