Hi Peter, others,

On Tue, Mar 6, 2018 at 1:13 PM, Peter Saint-Andre <stpe...@mozilla.com>

> On 2/28/18 5:23 PM, Nicholas Alexander wrote:
> > Hello dev-platform,
> >
> > For the reasons outlined at
> > https://docs.google.com/document/d/1tOA2aeyjT93OoMv5tUMhAPOkf4rF_
> IJIHCAoJlwmDHI/edit?usp=sharing,
> It would be good to document the security implications of this approach.
> By using Node we will probably inherit a large number of third-party
> dependencies. Although we could use a service such as the Node Security
> Platform [1] to determine the security status of these dependencies,
> regular monitoring and upgrading will be needed to ensure that we do not
> introduce vulnerabilities into our build process.

This is an excellent point, and I will add a section into the "Intent to
require Node to build Firefox 61" document discussing it.

There is a separate but related sibling proposal that has not yet left a
small working group that aims to make vendoring into mozilla-central more
uniform and more automated.  That proposal directly addresses the security
story around vendored third-party dependencies and their transitive
dependencies -- in fact, it's a motivating force behind that proposal.  We
(folks behind the Node proposal) are actively working with the folks behind
this sibling proposal to ensure that we have a workable solution to
upgrading Node dependencies across the tree in a timely manner in the face
of security updates.

Thanks for sharing the nodesecurity.io service -- I'll read more as I add
the section.

dev-builds mailing list

Reply via email to