A question for #FLOSS folk out there: do you audit your dependencies? Do you do it each time you update your dependency?
I'm *considering* using an external dependency to build a time-constrained cache of information that is not strictly sensitive, but I've got a gut feeling that this cache could make my project vulnerable if things went wrong in a specific way.
All hints and advice welcome.
Also: please boost!
#infosec #DevSecOps #FOSS
I'm *considering* using an external dependency to build a time-constrained cache of information that is not strictly sensitive, but I've got a gut feeling that this cache could make my project vulnerable if things went wrong in a specific way.
All hints and advice welcome.
Also: please boost!
#infosec #DevSecOps #FOSS
Follow
@pfm My guess is that it depends a lot on what communities and languages that are under consideration.
My GutFeeling; the bigger the eco-system, the lesser the manual audit and more reliance on automated tools, like GitHub's dependabot.
Some projects are actively keeping dependencies to a minimum, and other don't seem to care.
