Replies: 1 comment 1 reply
-
Apart from security concerns, what else would you look for to vet dependencies when we choose them? |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
This is to start the discussion about the security of our javascript packages and dependencies.
Currently we lock the packages using yarn.lock but it still fetches from npm which could be vulnerable.
We might need to have a stronger locking mechanism to prevent 'software supply chain attack'
We can explore tools like https://github.com/LavaMoat/LavaMoat or build our own
Beta Was this translation helpful? Give feedback.
All reactions