memorystore icon indicating copy to clipboard operation
memorystore copied to clipboard
verified publisher icon roccomuso

Security Updates and More!

Open elliot-huffman opened this issue 3 years ago • 0 comments

Overview

Provide updates to reduce surface area for attack

Technical Details

  • Update Packages
  • Add Security Code Scanning (SAST)
  • Add Dependabot
  • Change from Yarn to NPM
  • Drop support for legacy Node.JS

Explanation on why the change

Update Packages

This project was running on unsupported versions of packages/libraries.
Doing this causes supportability and security risk.
Updated to the latest versions of the packages, no code changes were necessary. A side effect of this will be faster cache management, as LRU-Cache updated its algorithm and claims improvements to performance that is:

significantly better performance

Code Scanning (SAST)

Add free code scanning by GitHub Advanced Security to reduce the chance a security risk goes undiscovered. SAST stands for Static Application Security Testing, in which a tool only needs an application’s source code to perform source to sink analysis and derive potential security vulnerabilities or weaknesses by the way data flows.
When I ran the library through SAST, it didn't flag anything which is great. I just want to make sure that this is included in the standard workflow instead of once off from people like me. GitHub offers CodeQL for free for public repos. It is a critical security best practice to have SAST as part of software engineering, please see Security Development Lifecycle for more info.

Dependabot

Enable Dependabot to reduce the risk a supply chain attack is successful by automatically providing package updates. The dependencies of this project are woefully out of date, Dependabot can help with this. In addition to creating PRs for project dependencies, it can also auto update any GitHub actions used, reducing work needed there too.

Yarn to NPM

Change from Yarn to NPM since NPM has all the optimizations that Yarn has built into its base code.
This also reduces surface area for attack by eliminating un-necessary package managers to just the core NPM system (which Yarn runs off of) and gets shipped with every version of Node.JS.
Advancements from Yarn like Plug'n'Play can still be baked into this project if desired.

Drop Legacy Node.JS Support

Drop support for legacy Node.JS version since they are no longer maintained and technically incompatible with this package because of the language features it and its dependencies use.
Node.JS 14 has been set as the new minimum since the language features required by this project and its dependencies fall into that category.

Need input on the below

Made version number bump a feature bump because of the changes.
It would probably be best to have a major bump since the advertised base version of Node.JS supported is changing from 0.10 to 14.0.0 but I would defer to @roccomuso on this.

elliot-huffman avatar Nov 21 '22 00:11 elliot-huffman