MagicMirror Forum
    • Register
    • Login
    • Search
    • Recent
    • Tags
    • Unsolved
    • Solved
    • MagicMirror² Repository
    • Documentation
    • Donate
    • Discord

    Maintaining modules - security updates

    Development
    3
    5
    226
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Q
      qistoph last edited by

      Hi everyone,

      As a developer/maintainer of a couple of MM modules I’m really wondering how everyone is keeping their modules’ dependencies up to date.

      An easy thing to do would be to run npm audit fix on my repos and/or merge all PRs from dependabot, but I’m too worried about breaking changes in dependencies. I wouldn’t know how to find the time to extensively test and fix all functionality in the modules. Especially if it would break functionality that someone else is using, that I’m not myself.

      How do other developer handle this?

      Chris

      S BKeyport 2 Replies Last reply Reply Quote 0
      • S
        sdetweil @qistoph last edited by

        @qistoph sadly there is no magic. all of them lead to testing

        audit fix causes more problems than it resolves. cause of unseen breaking changes.

        one of my (not published) modules gets it’s data from a mongob db somewhere remote. the server version changed, and dropped support for my (admittedly old) client version. one function I used was an external add on, now part of the product… BUT done differently… so you get to rewrite sometimes… it’s crushing…

        from a security standpoint, we are not a general purpose web site w lots of different users trying to use it at the same time

        Sam

        Create a working config
        How to add modules

        1 Reply Last reply Reply Quote 0
        • BKeyport
          BKeyport Module Developer @qistoph last edited by

          @qistoph I’m moving the stuff I do to no dependencies. 🙂

          The "E" in "Javascript" stands for "Easy"

          1 Reply Last reply Reply Quote 0
          • Q
            qistoph last edited by

            Would’ve been nice if there were (at least a couple) basic libs with long time support. Security fixes, maybe some added functionality now and then, but no breaking changes…

            The actual risk of almost all vulnerabilities is quite low indeed because of the way our systems are setup. It’s just the earie feeling of seeing all these critical issues while installing my modules that doesn’t feel right.

            S 1 Reply Last reply Reply Quote 0
            • S
              sdetweil @qistoph last edited by

              @qistoph we don’t have any binaries, all our code is in JavaScript. we are exposed to the general internet trends, speed of delivery over stability

              breaking changes are everywhere.

              I will say that a couple volunteers have been are working hard on processes for mm to detect those breaking changes by implementing a test system . but nothing is perfect

              Sam

              Create a working config
              How to add modules

              1 Reply Last reply Reply Quote 0
              • 1 / 1
              • First post
                Last post
              Enjoying MagicMirror? Please consider a donation!
              MagicMirror created by Michael Teeuw.
              Forum managed by Paul-Vincent Roll and Rodrigo Ramírez Norambuena.
              This forum is using NodeBB as its core | Contributors
              Contact | Privacy Policy