Read the statement by Michael Teeuw here.
Maintaining modules - security updates
-
Hi everyone,
As a developer/maintainer of a couple of MM modules I’m really wondering how everyone is keeping their modules’ dependencies up to date.
An easy thing to do would be to run
npm audit fixon my repos and/or merge all PRs from dependabot, but I’m too worried about breaking changes in dependencies. I wouldn’t know how to find the time to extensively test and fix all functionality in the modules. Especially if it would break functionality that someone else is using, that I’m not myself.How do other developer handle this?
Chris
-
@qistoph sadly there is no magic. all of them lead to testing
audit fix causes more problems than it resolves. cause of unseen breaking changes.
one of my (not published) modules gets it’s data from a mongob db somewhere remote. the server version changed, and dropped support for my (admittedly old) client version. one function I used was an external add on, now part of the product… BUT done differently… so you get to rewrite sometimes… it’s crushing…
from a security standpoint, we are not a general purpose web site w lots of different users trying to use it at the same time
-
@qistoph I’m moving the stuff I do to no dependencies. :)
-
Would’ve been nice if there were (at least a couple) basic libs with long time support. Security fixes, maybe some added functionality now and then, but no breaking changes…
The actual risk of almost all vulnerabilities is quite low indeed because of the way our systems are setup. It’s just the earie feeling of seeing all these critical issues while installing my modules that doesn’t feel right.
-
@qistoph we don’t have any binaries, all our code is in JavaScript. we are exposed to the general internet trends, speed of delivery over stability
breaking changes are everywhere.
I will say that a couple volunteers have been are working hard on processes for mm to detect those breaking changes by implementing a test system . but nothing is perfect
