On 3/6/18 3:36 PM, Nicholas Alexander wrote:
> Hi Peter, others,
> On Tue, Mar 6, 2018 at 1:13 PM, Peter Saint-Andre <stpe...@mozilla.com
> <mailto:stpe...@mozilla.com>> wrote:
>     On 2/28/18 5:23 PM, Nicholas Alexander wrote:
>     > Hello dev-platform,
>     >
>     > For the reasons outlined at
>     > 
> https://docs.google.com/document/d/1tOA2aeyjT93OoMv5tUMhAPOkf4rF_IJIHCAoJlwmDHI/edit?usp=sharing
> <https://docs.google.com/document/d/1tOA2aeyjT93OoMv5tUMhAPOkf4rF_IJIHCAoJlwmDHI/edit?usp=sharing>,
>     It would be good to document the security implications of this approach.
>     By using Node we will probably inherit a large number of third-party
>     dependencies. Although we could use a service such as the Node Security
>     Platform [1] to determine the security status of these dependencies,
>     regular monitoring and upgrading will be needed to ensure that we do not
>     introduce vulnerabilities into our build process.
> This is an excellent point, and I will add a section into the "Intent to
> require Node to build Firefox 61" document discussing it.


> There is a separate but related sibling proposal that has not yet left a
> small working group that aims to make vendoring into mozilla-central
> more uniform and more automated.  That proposal directly addresses the
> security story around vendored third-party dependencies and their
> transitive dependencies -- in fact, it's a motivating force behind that
> proposal.  We (folks behind the Node proposal) are actively working with
> the folks behind this sibling proposal to ensure that we have a workable
> solution to upgrading Node dependencies across the tree in a timely
> manner in the face of security updates.

Looking forward to hearing more.

> Thanks for sharing the nodesecurity.io <http://nodesecurity.io> service
> -- I'll read more as I add the section.

There a few other services like that (e.g., Snyk, SourceClear), I just
happen to know NSP best because I've used it at previous companies.


Attachment: signature.asc
Description: OpenPGP digital signature

dev-builds mailing list

Reply via email to