js-waku icon indicating copy to clipboard operation
js-waku copied to clipboard

Published 20 hours ago verified publisher icon waku-org

feat: dependencies security review

Open weboko opened this issue 1 year ago • 4 comments

This is a support request

Problem

js-waku is client side set of libraries that highly depends on many packages from npm ecosystem. One of our goals is to provide best privacy guarantees possible in web environment. One part of it is addressed by architecture of the network but we shouldn't forget that bad code can get in and cause leaks such as spy on any input on a web page or xss scripting etc

Proposed Solutions

We should not spend too much time on it at least now and lay basement for future improvements. This should include:

  • review dependencies and decrease the amount as much as possible;
  • run npm audit at the very least to check leftover dependencies;
  • check dependabot configurations and add if not present some checks for packages being updated and security updates;
  • double check that release happens by using npm ci so that it installs locked version of packages;
  • investigate and setup a pipeline that would block releases if npm audit not succeeds (or some other requirement that prevents from releasing bad dependencies);

Notes

Useful links:

  • https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities

weboko avatar Feb 05 '24 21:02 weboko

ping @chair28980 for help with parenting this issue

weboko avatar Feb 05 '24 21:02 weboko

@weboko do you think this work can be included in one of the Milestones defined on the 2024 roadmap? Perhaps Composing Waku Protocols to Improve Reliability https://github.com/waku-org/pm/blob/fffa450b0d20c3aac2479106e8b2217706f68ae1/ROADMAP.md

https://github.com/waku-org/pm/issues/114

chair28980 avatar Feb 05 '24 22:02 chair28980

To me it seems a bit different to what the Milestone is about. Perhaps we can create a new one that would cover compliance with privacy guarantees.

cc @fryorcraken

weboko avatar Feb 06 '24 09:02 weboko

To me it seems a bit different to what the Milestone is about. Perhaps we can create a new one that would cover compliance with privacy guarantees.

Reliability needs to come first, then scaling, then privacy.

I see this work part of release, maintenance etc. I would not invest too much time on it for now, beyond ensuring npm audit is run before a release as for 2024, js-waku's sole purpose is to dogfood reliability protocols.

fryorcraken avatar May 22 '24 04:05 fryorcraken