As part of a broader initiative to perform a security review of the third party libraries we use, there is now a semi-automated service that can file bugs when upstream libraries are newer than the one we embed.
Closely tracking upstream can ensure we don't inherit publicly known vulnerabilities. That's bitten us in the past and indeed during the initial filing of bugs, we identified a few outstanding ones. And it can bring in speed and performance improvements, and new features. The initial cut of the tool has been focused on libraries that we embed in mozilla-central (:arroway found a ton of them) but we don't think the list is complete. If you're a maintainer of a library, please please please confirm we are tracking your library. Check out https://github.com/mozilla-services/third-party-library-alert/blob/master/libraries.json and search for your library - if you don't see it there (and I haven't emailed you about it) we don't know about it and we want to both know about it and add it into this service. However, there's no reason it has to be focused on mozilla-central - we'd be happy to track stuff for the multitude of people building stuff outside -central too. So if it's useful to you, let me know! And it doesn't have to be an entire library, we can track commits on individual source files inside of a larger repository also. Also: If you do see your library there, and you would like any bugs filed for it to do something special (e.g. block a specific tracking bug, cc you, whatever) again please reach out. Finally, it would be great if, going forward, when we add a new library to the tree we immediately add it into this tool. So if you're doing review and see someone adding a library, or even just excerpts from a library - ask them to add it in (or ask them to ask me to add it in.) _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
