19
Almost shipped code with a MAJOR security hole because I didn't check my dependencies
I was working on a little web app for my portfolio last week and used a free library to handle user logins. Turns out that library hadn't been updated in 2 years and had a KNOWN vulnerability listed on the CVE database. I found out when I ran a tool called Snyk that scans your code for security issues - it flagged it immediately. I was 2 clicks away from uploading that thing to GitHub for employers to see. Has anyone else had a close call like this with open source packages?
2 comments
Log in to join the discussion
Log In2 Comments
casey_campbell4d ago
Read a post the other day where someone's whole company got breached from an old npm package nobody checked. Makes you wonder how many repos out there are ticking time bombs.
9
theabennett3d ago
@casey_campbell that "ticking time bombs" line is spot on, but how do you even start checking a thousand dependencies manually?
3