| ▲ | b112 10 hours ago | |||||||
So you get security updates late too? Many vulnerabilities are in the wild for years before being noticed, and patched. Once noticed, that's where the exploit explosion erupts, excited exploiters everywhere, emboldened... enticed... excessively encouraged, by your delayed updates. | ||||||||
| ▲ | AgentME 9 hours ago | parent | next [-] | |||||||
Presumably npm exempts security updates from its minimum release age, but even if it doesn't, I think the times where you need an important security update are relatively rare enough that handling the real cases on a case-by-case basis with whitelisting is fine. Outside of Next.js's React2Shell vulnerability last year, I'm not sure I've ever had a security update of a dependency written in a memory-safe language (ie. not C/C++) which I've installed through npm/PyPI/Cargo that patched a security vulnerability that had been making my application exploitable to others in practice. Almost all security vulnerabilities I've personally seen flagged through npm are about things I only use at build-time and are only relevant if a user can create and pass an arbitrary object to the function, which is rarely the case. Most security vulnerabilities I've encountered and fixed in working on web apps were things like XSS, SQL injections, and improperly enforced permissions, and they nearly always happened in the application's own code rather than inside a dependency. | ||||||||
| ||||||||
| ▲ | ayuhito 10 hours ago | parent | prev | next [-] | |||||||
At least with our Renovate config, all dependencies have a 7 day cooldown, but marked security updates are immediate. Attackers can’t push a security update without going through the reporting process (e.g. Github CVE), so they can’t necessarily abuse that easily. | ||||||||
| ▲ | ketozhang 8 hours ago | parent | prev [-] | |||||||
You could still have security bumps happening (like dependabot). | ||||||||