lodestar icon indicating copy to clipboard operation
lodestar copied to clipboard

Published 20 hours ago • verified publisher icon ChainSafe

Process for managing dependencies

Open wemeetagain opened this issue 3 years ago • 9 comments

Is your feature request related to a problem? Please describe.

We want to be less vulnerable to "supply chain attacks", maliciously updated dependencies. (example here) We want to have more assurances about the dependencies that we use and when we upgrade.

Describe the solution you'd like

Put more thought into the process around dependency selection and upgrades. May result in revised internal team process or no action if current process is sufficient.

wemeetagain avatar Nov 30 '21 15:11 wemeetagain

If we lock a dependency to an exact version "some-dep": "0.1.0", but some-dep depends on a range: "bad-dep": "^1.0.0" and bad-dep gets compromised, are we vulnerable?

dapplion avatar Nov 30 '21 17:11 dapplion

My gut instinct says yes but this is a curious question you have proposed y'all are using yarn?

frankiebee avatar Dec 09 '21 20:12 frankiebee

I see you are using yarn. Running yarn audit regularly can help some with security risks and adding it as test suit would be good. It would be best to be over paranoid in this situation and may be good to start thinking about how best to trim down your dependencies or at least look into isolating them.

If we lock a dependency to an exact version "some-dep": "0.1.0", but some-dep depends on a range: "bad-dep": "^1.0.0" and bad-dep gets compromised, are we vulnerable?

the answer is yes you are still vulnerable if you dont have this in your yarn.lock. yarn.lock's mostly fix this issue

frankiebee avatar Dec 09 '21 21:12 frankiebee

offline convo: @frankiebee also says we need an up to date yarn version and enforce a minimum yarn version

wemeetagain avatar Dec 10 '21 16:12 wemeetagain

the answer is yes you are still vulnerable if you dont have this in your yarn.lock. yarn.lock's mostly fix this issue

However if a consumer installs lodestar via NPM the yarn.lock does not help :(

dapplion avatar Dec 10 '21 16:12 dapplion

you shouldn't mix package managers include in the read me that you need yarn

frankiebee avatar Dec 13 '21 21:12 frankiebee

warning package-lock.json found. Your project contains lock files generated by tools other than Yarn. It is advised not to mix package managers in order to avoid resolution inconsistencies caused by unsynchronized lock files. To clear this warning, remove package-lock.json.

frankiebee avatar Dec 13 '21 21:12 frankiebee

I would go as far as to throw in a preinstall script to use yarn.

frankiebee avatar Dec 13 '21 22:12 frankiebee

Reducing to prio-medium after only recommending docker installations.

@dadepo could you drop an update of your efforts regarding this?

dapplion avatar Jun 29 '22 14:06 dapplion

Closing, nobody should be installing via NPM. Ever. We should provide alternative distribution methods.

philknows avatar Nov 05 '23 14:11 philknows