Hi Peter, others, On Tue, Mar 6, 2018 at 1:13 PM, Peter Saint-Andre <stpe...@mozilla.com> wrote:
> On 2/28/18 5:23 PM, Nicholas Alexander wrote: > > Hello dev-platform, > > > > For the reasons outlined at > > https://docs.google.com/document/d/1tOA2aeyjT93OoMv5tUMhAPOkf4rF_ > IJIHCAoJlwmDHI/edit?usp=sharing, > > It would be good to document the security implications of this approach. > By using Node we will probably inherit a large number of third-party > dependencies. Although we could use a service such as the Node Security > Platform [1] to determine the security status of these dependencies, > regular monitoring and upgrading will be needed to ensure that we do not > introduce vulnerabilities into our build process. > This is an excellent point, and I will add a section into the "Intent to require Node to build Firefox 61" document discussing it. There is a separate but related sibling proposal that has not yet left a small working group that aims to make vendoring into mozilla-central more uniform and more automated. That proposal directly addresses the security story around vendored third-party dependencies and their transitive dependencies -- in fact, it's a motivating force behind that proposal. We (folks behind the Node proposal) are actively working with the folks behind this sibling proposal to ensure that we have a workable solution to upgrading Node dependencies across the tree in a timely manner in the face of security updates. Thanks for sharing the nodesecurity.io service -- I'll read more as I add the section. Yours, Nick
_______________________________________________ dev-builds mailing list dev-builds@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-builds
