if the package has insecure third party dependencies we should be breaking the build and working with upstream to fix this.
Multiple ways to deal with this problem.
soft approach: monitor the dependencies seperately and keep a tab on it and followup with upstreams (already configured for pip via requires.io but we still need to find for gem and java dependencies)
Hard approach: monitor at build time via local tool and break build if dependency older. This would require large efforts and change in build script for all packages and we need to decide on which software needs to be scanned and how. One probability is to use owasp dependecy checker but we need to do a trial run.
if the package has insecure third party dependencies we should be breaking the build and working with upstream to fix this.
Multiple ways to deal with this problem. soft approach: monitor the dependencies seperately and keep a tab on it and followup with upstreams (already configured for pip via requires.io but we still need to find for gem and java dependencies)
Hard approach: monitor at build time via local tool and break build if dependency older. This would require large efforts and change in build script for all packages and we need to decide on which software needs to be scanned and how. One probability is to use owasp dependecy checker but we need to do a trial run.