Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Security vulnerabilities in dependencies
See original GitHub issueRunning npm audit reveals 31 vulnerabilities (21 low, 9 high, 1 critical)
Issue Analytics
- State:
- Created 5 years ago
- Comments:7 (4 by maintainers)
Top Results From Across the Web
Vulnerabilities in Dependencies: What You Need to Know
The risk of using dependencies with known vulnerabilities has been included in the OWASP top 10 list of security risks. It has been...
Read more >What are Vulnerable Dependencies?
When a security vulnerability is found in a third-party dependency, and a new version with a fix is released, it is the responsibility...
Read more >Vulnerable Dependency Management Cheat Sheet
Tools. This section lists several tools that can used to analyse the dependencies used by a project in order to detect the vulnerabilities....
Read more >Securing Your Dependencies - Hacksplaining
Including these vulnerabilities into you systems opens you (and your users) to data theft, infection by malware, and system takeover. Increasingly, ...
Read more >13 tools for checking the security risk of open-source ...
It also provides tools that scan for dependencies and find vulnerabilities using public vulnerability databases such as the NIST National Vulnerability ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Agreed, but we should focus our energy on forcing authors of those libraries to fix the root of the problem, instead of hacking at the leaves by creating issues on dependant libraries.
IMHO, it’s not okay for the maintainers of those libs to ask implementors to bump a major to fix a security issue. They need to release patches so that everyone gets the fixes automatically. I personally think we should all stand our ground on that.
Also, unless the vulnerability is directly in verb, you should create issues on the mentioned libraries. Those libraries should submit patches to fix the vulnerabilities. We should not be expected to bump majors to fix a security issue.