Did all dependencies been reviewed for security?

[hellodword]

For example, I noticed there're two jsonc related dependencies:

action/package.json

Line 34 in a1930bf

"jsonc-parser": "^3.2.0"

action/package.json

Line 46 in a1930bf

"jsonc": "^2.0.0",

The one in the devDependencies was published 5 years ago, and maintained by 1 developer.

I know it's not been used in the source code yet, but I'm curious about how the supply chain security works there.

Thanks :)

[samruddhikhandale]

Hi 👋

Generally, we depend on the Dependabot alerts to patch security vulnerabilities for the npm package dependencies. Also, we had reviewed the dependencies when we created this repository (~ like two years ago)

The one in the devDependencies was published 5 years ago, and maintained by 1 developer.

This ^ definitely won't be caught by it.

I wonder if we should start doing a bi-monthly security review or engage some tooling to help us with it. Any ideas are appreciated.
@bamurtaugh @craiglpeters Looking for your insights 👀

[hellodword]

Thanks!

This ^

I'm not expert of npm, but I guess it's not secure for important projects:

• !!!!!!!!!!!! Please do something to warn USERS besides publishing new versions vuejs/vue-cli#7054

...even locked:

• cli-shared-utils using a node-ipc version that contains protestware vuejs/vue-cli#7051 (comment)

Also, "unused dependency" may insecure, see ignore-scripts on https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_Cheat_Sheet.html