Did all dependencies been reviewed for security?

devcontainers / action

GitHub Action to build & publish your own dev container assets

https://containers.dev

MIT License

60 stars 17 forks source link

Did all dependencies been reviewed for security? #213

Open hellodword opened 9 months ago

hellodword commented 9 months ago

For example, I noticed there're two jsonc related dependencies:

https://github.com/devcontainers/action/blob/a1930bf7eb60408bbfd6e201d88e33cdec41a25e/package.json#L34 https://github.com/devcontainers/action/blob/a1930bf7eb60408bbfd6e201d88e33cdec41a25e/package.json#L46

The one in the devDependencies was published 5 years ago, and maintained by 1 developer.

I know it's not been used in the source code yet, but I'm curious about how the supply chain security works there.

Thanks :)

samruddhikhandale commented 9 months ago

Hi 👋

Generally, we depend on the Dependabot alerts to patch security vulnerabilities for the npm package dependencies. Also, we had reviewed the dependencies when we created this repository (~ like two years ago)

The one in the devDependencies was published 5 years ago, and maintained by 1 developer.

This ^ definitely won't be caught by it.

I wonder if we should start doing a bi-monthly security review or engage some tooling to help us with it. Any ideas are appreciated. @bamurtaugh @craiglpeters Looking for your insights 👀

hellodword commented 9 months ago

Thanks!

This ^

I'm not expert of npm, but I guess it's not secure for important projects:

https://github.com/vuejs/vue-cli/issues/7054

...even locked:

https://github.com/vuejs/vue-cli/issues/7051#issuecomment-1072246151

Also, "unused dependency" may insecure, see ignore-scripts on https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_Cheat_Sheet.html