asf-tooling opened a new issue, #1067:
URL: https://github.com/apache/tooling-trusted-releases/issues/1067
**ASVS Level(s):** L1
**Description:**
### Summary
The npm/frontend dependency ecosystem lacks documented update timeframes and
automated freshness enforcement, creating an asymmetric policy where Python
dependencies have a 30-day documented timeframe but npm dependencies have none.
While vulnerability scanning exists via npm audit, there is no mechanism to
prevent deployment of stale but non-vulnerable versions. The
`bootstrap/context/bump.sh` script implements a 14-day cooldown that prevents
TOO-NEW versions but has no check for TOO-OLD versions.
### Details
The issue exists in `bootstrap/source/package.json` line 3 and
`bootstrap/context/bump.sh` lines 14-16. No documented update timeframe exists
for npm dependencies, and no automated enforcement prevents deployment of
outdated versions.
### Recommended Remediation
1. **Add npm to Dependabot** (`.github/dependabot.yml`):
```yaml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/bootstrap/source"
schedule:
interval: "weekly"
open-pull-requests-limit: 5
# Match existing bump.sh cooldown
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-major",
"version-update:semver-minor"]
# Allow updates only after 14 days
```
2. **Add npm freshness check** (`scripts/check_npm_dependencies_updated.py`):
```python
#!/usr/bin/env python3
"""Check that npm dependencies are not stale."""
import json
import sys
from datetime import datetime, timedelta
from pathlib import Path
MAX_AGE_DAYS = 60
package_lock = Path("bootstrap/source/package-lock.json")
if not package_lock.exists():
print("ERROR: package-lock.json not found")
sys.exit(1)
last_modified = datetime.fromtimestamp(package_lock.stat().st_mtime)
age_days = (datetime.now() - last_modified).days
if age_days > MAX_AGE_DAYS:
print(f"ERROR: package-lock.json is {age_days} days old (max
{MAX_AGE_DAYS})")
sys.exit(1)
print(f"OK: package-lock.json is {age_days} days old")
```
3. **Document policy in DEPENDENCIES.md**:
```markdown
## npm Dependency Update Policy
### Update Frequency
- npm dependencies must be updated at least every 60 days
- Dependabot runs weekly and creates PRs for outdated packages
- 14-day cooldown period enforced to match bump.sh behavior
### Freshness Enforcement
- Pre-commit hook checks package-lock.json age
- CI pipeline fails if dependencies exceed 60-day maximum age
- Manual override available for documented exceptions
```
### Acceptance Criteria
- [ ] Dependabot configuration added for npm ecosystem
- [ ] Weekly schedule configured with 14-day cooldown
- [ ] Freshness check script created (check_npm_dependencies_updated.py)
- [ ] Pre-commit hook added to run freshness check
- [ ] CI pipeline updated to enforce freshness check
- [ ] DEPENDENCIES.md updated with npm update policy
- [ ] 60-day maximum age documented and enforced
- [ ] Team trained on npm dependency update process
### References
- Source reports: L1:15.2.1.md
- Related findings: None
- ASVS sections: 15.2.1
### Priority
Medium
---
---
**Triage notes:** look for pre-existing scanner
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
