Earlier today, I made this tweet.
We need a developer holiday.
I propose Dependency Day.
A day in the year, when we fix all project dependency issues on the Github projects we manage.
It wasn't well received, of course, because "a holiday should be for resting".
I know this borders on unrealistic, but I'd like to make my case anyway.
If you're like me, you already have a ton of emails from Github about projects you manage, that have security issues because of its dependencies.
For some reason, this is targeted at JavaScript devs, and NPM tries to make fixing this easy by offering the npm audit
command, which shows you which packages have security issues, and npm audit fix
which attempts to automatically bump up the dependency versions to values where those security issues no longer exist.
One problem with that, is the higher versions your dependency gets bumped to, might be incompatible with your code, so you might need to check the docs to figure out what changes are necessary to keep your code working.
Another problem arises when there's no higher version of a dependency that resolves the security issue. Perhaps, because the developer is like us, and hasn't made out time for a fix. This is a bigger challenge, because now you have to raise an issue and wait for a reply, or make a PR and hope it gets attended to.
But if every developer got 24 hours without office work, dedicated to resolving these issues, I imagine it would be really helpful. I wonder what the internet thinks.
Top comments (0)