In light of recent security incidents like the axios package compromise, I'm trying to figure out how to safeguard an enterprise-level application that relies on third-party dependencies. Updating packages is essential for getting the latest security patches, but it can also introduce new issues. Is this a problem exclusive to JavaScript and npm, or do we see similar challenges in other programming languages? I don't hear about these problems as often in C# or Java. What strategies can I use to combat such security threats? I'm considering approaches like tracking dependency versions, disabling automatic updates until thoroughly vetted, and limiting post-install scripts. What strategies do you all recommend for production environments?
1 Answer
Always make sure to version lock your dependencies and try to use only the ones you really need. This way, you can avoid any unwanted surprises when a new version gets released.
So, version locking means you’re fixing a particular version of a dependency, right? That ensures it won’t automatically update without your consent? It sounds like a good strategy to avoid moving to a compromised version, but doesn’t that require you to keep an eye on future updates? Also, do people typically use any dependency scanning tools to ensure the versions they stick with aren't compromised?