sábado, 31 de marzo de 2018

Upgrade your dependencies!

I recently revisited and old repository on my public GitHub, and I was impressed on how good is the platform, as soon as I was on the repository, I was checking I was received by a big yellow banner alerting me on a dependency vulnerability.












One of my JS dependencies is vulnerable! but when I checked the vulnerable dependency, I was surprised by how the vulnerability is really hitting me.









It is a dependency of one of my dependencies, and then I just started wondering, how may other packages or systems can be affected by things like this! It is not just a dependency, it is a dependency I trusted because I trusted on Chart.js.

Now, ASP.NET Core is one framework I use a lot, and .NET Core is the runtime on which it runs, since it is now open source, I decided to take a look at their announcement repository, just to know if they have something where they tell everyone about a known security issue. To my surprise, they do have a tag of security, and they are continuously updating it, on the .NET repository as well in the ASP.NET repository.




So, now lets take a look at one of those issues, Elevation of Privilege is a common attack on windows systems, so having those kind of problems on a server in a cloud platform seems like a bad idea, lets take a look at the most recent Issue. And to my surprise, it is very well documented, it has all the necessary info about which software is affected and how to be safe, which versions of the runtime or packages are already patched so you can update to those ones.

Conclusion
As maintainers of our own services, we should be aware of this kind of things, not just your OS should be always up-to-date, but your runtime and dependencies, even if they are not direct dependencies, every one of us should be aware of what kind of problems can come from not having those type of cautions.

PS. I'm now watching both announcement repositories and I'll eventually get into my repository to correct and update everything, even though it is not a running system, it should be updated just in case someone eventually wants to use it.

No hay comentarios:

Publicar un comentario