Ask HN: Does anyone investigate open source packages before using in prod?
I'm curious to hear if anyone else does any due diligence before using open source packages in production? Not anything major - just checking for recent commits / activity, issue logs, etc.
39 comments
[ 3.1 ms ] story [ 89.8 ms ] threadFor example, our company is working on an app that has 82 npm dependencies and over 17,000 resolved npm packages...
It's absolutely ridiculous to investigate all of them... but it's also necessary if you want to be sure...
Yep, all the way to the end.
I got the idea from a book called "Hollywood Secrets of Project Management Success" by James R. Persse. It's two books interleaved really, one is just a standard pitch for Agile methods (IMO), but the other is a presentation of the process that large film studios use to make movies. The movie industry is ~100 years old and mostly very good at bringing in projects on time and under budget.
Somewhere in there he talks about how they'll track their dependencies in a kind of "portfolio", I forget the details, but it translates in IT to a "dependency portfolio" and you would (if you're large enough) have an actual "Deps Dept." and a Deps Manager whose sole job is tracking dependencies and their updates and patches, etc.
> working on an app that has 82 npm dependencies
Ach! Well, see, there's your problem right there. :-)
Seriously though, one of the benefits of a dependency portfolio is to help you know when your system has gotten out of hand. The problems are still there even if you don't look at them, eh?
> It's absolutely ridiculous to investigate all of them... but it's also necessary if you want to be sure...
Ya feel. ;-)
It's pretty common for JS projects to have thousands of transitive dependencies, I'm not sure keeping a private portfolio is much use. The entire open-source ecosystem is built on the foundation of trust, if I use a package that's being used by 500 other packages, I can have a high degree of certainty that the package is safe, and by locking the dependencies with yarn.lock I can prevent sneaky updates from entering the system.
Anyway maybe I'll look into the dependency portfolio, see how it goes.
> How do you verify a dependency? Do you literally examine the source code?
Yeah. It's part of the overhead of using the software. You also look at the history of bugs and how they were handled.
> It's pretty common for JS projects to have thousands of transitive dependencies
Yeah, I know, and it's bonkers IMO.
> The entire open-source ecosystem is built on the foundation of trust
In practice, yes, but in theory, no. The whole idea is that you get to see the code you're running, because the guys who wrote it are clowns. Free Software started when RMS wanted to fix his printer and Xerox said, "No."
> if I use a package that's being used by 500 other packages, I can have a high degree of certainty that the package is safe
I think history has shown that that reasoning is at best probabilistic, eh? You're gambling.
Now, of course, there are limits. Some things get a pass. Do we audit the source of the bash shell? No, despite the fact that it's maintained by a single volunteer.
> Anyway maybe I'll look into the dependency portfolio, see how it goes.
Check out that "Hollywood Secrects" book I mentioned.
0. A dev wants to use a new dependency, likely after experimenting with it a little bit.
1. Preliminary evaluation, which includes a transitive dependency scan. ("Too many dependencies" is a valid fail condition all on it's own.)
2. If everything looks good we bring it and it's deps into our internal repo. This includes the plumbing to add it to our dev|test|production envs. (Using Docker or whatever.)
3. Now the devs can use it in code destined for prod. There's a nice page in the company wiki that lists the exact version(s) with links to the docs, bug trackers, mailing lists, etc. and also the internal company lore for that package.
It's tight.
- - - -
This might seem like a lot of work up front, but think about all the work it saves down the line.
I'm guessing you work at a pretty large tech company. It seems wasteful that so many companies might be replicating this work. I wonder if there might be the opportunity for a body to review & approve packages on behalf of many companies. Perhaps npm will eventually move in this direction.
Yes, but this is typically pretty low overhead. And when it's not, it usually means there is some issue that has to be addressed anyway.
> I'm guessing you work at a pretty large tech company.
I did once, but right now "we" is a tiny startup (we're using Elm and Erlang.)
> I wonder if there might be the opportunity for a body to review & approve packages on behalf of many companies.
Ideally, that's what Free/Open Source Software would be, eh?
In the old days there were "sysadmins", System Administrators, who handled a lot of this sort of thing.
I'm sure most people don't review the code for their operating system, drivers, web server, compiler, browser etc. but they do assess if the entities that write + support them are worth trusting. This is likely the only realistic approach for complex JavaScript apps also.
Right. And that's really bad.
> I'm sure most people don't review the code for their operating system, drivers, web server, compiler, browser etc.
Right, but some people do. Hire one of them. (And if your "props dept." can't keep up with the changes to all the things that's also really bad.)
> they do assess if the entities that write + support them are worth trusting.
No one is a magic code elf. (Some people come close. Fabrice Bellard might count. But even that worthy commits bugs.)
Like I said in a sib comment, yeah, some things get a pass. Bash shell for example. Then again, remember e.g. "heartbleed"?
> Right. And that's really bad.
> > I'm sure most people don't review the code for their operating system, drivers, web server, compiler, browser etc.
> Right, but some people do. Hire one of them.
The interesting question isn't if you can do it, it's when should you, to what extent, and how much it will cost.
"Always do it, do it in-depth, the time consumed isn't important and the budget isn't important" is a bad approach for example and isn't helpful to the OP.
Successful software development is all about making appropriate tradeoffs - you're not going to get very far by conducting your own OpenSSL audit when all you want to do is write a todo web app.
I once helped a guy build a go-cart out of an old lawn mower engine and a bed frame. It was a lot of fun. We didn't do any research, we just made it.
If I'm provisioning a commercial fleet (for a delivery service or something) I'm going to do my homework to make sure the cars we deploy are low-maintenance, high-mileage, with a good safety record, etc.
https://github.com/olegmikhnovich/News-API-ruby/blob/master/...
If you work in a secure environment or support critical infrastructure there are teams whose sole purpose is to approve/deny releasing software regardless of who wrote it. Such teams will typically require source code, written justification, senior management signed approval, and test validation. In the case where source code is not provided, such as closed source commercial software, the vendor will be required to accept liability for all losses due to their software as ratified by a signed contract.
The time-opportunity cost isnt worth it on average
It's very annoying, it's not free, and it affects what kinds of libraries I use. My projects have fewer and smaller dependencies than typical because of these self imposed constraints.
On the upside, borrowing a pattern or a dozen lines of code instead of pulling a dependency that will remain 90% unused is really underrated. As is understanding how things work under the hood.
There are definitely some things in React's dependency tree that are a bit questionable if you are sensitive enough to any given problem, beyond just security. For example, packages where the license being used is contradictory between the package.json vs the LICENSE file or the full license terms are not expressed within these but are clarified in the README.md.
Taking a look at your at your github projects and build.sbt... this is quite an understatement.
https://medium.com/hackernoon/im-harvesting-credit-card-numb...
No, most people don't, they even have a hard time keeping library versions up to date.
The best I've been able to come up with is to pick things that have minimal dependencies of their own. It doesn't eliminate the threat, but it does at least reduce it.
Edited: I reached out to some security people and it seems like the following are popular tools for this use case: Snyk / Dependabot / Whitesource.
It's not often I spot anything major, but I figure if I have the time I should do it just in case.
I often look at the code for PHP-extensions, npm-libraries, and similar that colleagues introduce. Just to be sure there's not anything blatently horrid going on.