Git Product home page Git Product logo

Comments (4)

djcouto avatar djcouto commented on May 21, 2024 2

Hi @gsilvapt!

Your issue is a pertinent one and it's also our opinion that any dependency vulnerability should be detected and fixed as soon as possible. We also agree that without unit tests, any automatically fix could lead to breaks which we want to avoid.
We are currently looking into issue #7. There are a number of specificities of this type of application that make it a non-trivial task. As soon as there are some developments there we will get back to this one.

Meanwhile, we are fixing the 259 vulnerabilities #17.

from stayaway-app.

joaoportela avatar joaoportela commented on May 21, 2024 1

@bertolo1988 one of the reasons I suggested dependabot was because it is safer than doing auto-fix blindly.

You obviously always review the PRs created by dependabot before merging. It just really makes the process easier.

from stayaway-app.

joaoportela avatar joaoportela commented on May 21, 2024

If you don't think auto-fix is feasible/safe, maybe dependabot would be a good strategy.

I've used it for personal projects and had a good experience.

from stayaway-app.

bertolo1988 avatar bertolo1988 commented on May 21, 2024

I would not recommend you to update any dependency without a deep inspection. Due to the nature of this project the risk of being targeted is very high and it is quite easy to inject malicious code through not so well maintained projects.

(opened a ticket about this a few days ago: #84, got closed after 1 dependency fix, there are thousands in the tree that are auto updating)

In a private project I would trust the dependabot without issues.

Opening a FE project to the public just for the sake of showing is ridiculous: this project gives all the information a malicious user could ever want plus you can't even prove this source is the one being deployed and distributed.

from stayaway-app.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.