Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: dependencies security review #1828

Open
weboko opened this issue Feb 5, 2024 · 4 comments
Open

feat: dependencies security review #1828

weboko opened this issue Feb 5, 2024 · 4 comments
Labels
enhancement New feature or request

Comments

@weboko
Copy link
Collaborator

weboko commented Feb 5, 2024

This is a support request

Problem

js-waku is client side set of libraries that highly depends on many packages from npm ecosystem.
One of our goals is to provide best privacy guarantees possible in web environment. One part of it is addressed by architecture of the network but we shouldn't forget that bad code can get in and cause leaks such as spy on any input on a web page or xss scripting etc

Proposed Solutions

We should not spend too much time on it at least now and lay basement for future improvements.
This should include:

  • review dependencies and decrease the amount as much as possible;
  • run npm audit at the very least to check leftover dependencies;
  • check dependabot configurations and add if not present some checks for packages being updated and security updates;
  • double check that release happens by using npm ci so that it installs locked version of packages;
  • investigate and setup a pipeline that would block releases if npm audit not succeeds (or some other requirement that prevents from releasing bad dependencies);

Notes

Useful links:
@weboko weboko added the enhancement New feature or request label Feb 5, 2024
@weboko weboko added this to Waku Feb 5, 2024
@weboko weboko moved this to Triage in Waku Feb 5, 2024
@weboko
Copy link
Collaborator Author

weboko commented Feb 5, 2024

ping @chair28980 for help with parenting this issue

@chair28980
Copy link
Contributor

chair28980 commented Feb 5, 2024
edited
Loading

@weboko do you think this work can be included in one of the Milestones defined on the 2024 roadmap? Perhaps Composing Waku Protocols to Improve Reliability https://github.com/waku-org/pm/blob/fffa450b0d20c3aac2479106e8b2217706f68ae1/ROADMAP.md

waku-org/pm#114

@weboko
Copy link
Collaborator Author

weboko commented Feb 6, 2024

To me it seems a bit different to what the Milestone is about. Perhaps we can create a new one that would cover compliance with privacy guarantees.

cc @fryorcraken

@chair28980 chair28980 moved this from Triage to To Do in Waku Mar 6, 2024
@fryorcraken
Copy link
Collaborator

To me it seems a bit different to what the Milestone is about. Perhaps we can create a new one that would cover compliance with privacy guarantees.

Reliability needs to come first, then scaling, then privacy.

I see this work part of release, maintenance etc. I would not invest too much time on it for now, beyond ensuring npm audit is run before a release as for 2024, js-waku's sole purpose is to dogfood reliability protocols.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
Waku
Status: To Do
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chair28980 @fryorcraken @weboko