Staying ahead of vulnerabilities in your repositories

How often developers are using third party code?

Depends. “Very often” is going to be the answer for a lot of languages. It makes zero sense to reinvent the wheel (and make all the mistakes along the way) than to pull in a package via npm/composer/cargo/gem/vcpkg/gradle/etc.

It’ll only not be the answer if everything pulled in externally is either fully disallowed (though the stackoverflow “package manager” is sometimes used in such cases), or if it all needs an audit.

A somewhat common method is to fork external dependencies into a private repo copy, and ensure that’s the verison pulled in & audited. Though this has the side effect of super slow patching from upstream.

YMMV, but some languages make it VERY easy to have third party code.

Thanks to the Courtesy of :

https://www.reddit.com/r/netsec/comments/ev2zo7/staying_ahead_of_vulnerabilities_in_your/

Leave a Reply