loading...

re: Live Exploiting Your Open Source Dependencies with Brian Vermeer VIEW POST

FULL DISCUSSION
 

Of course I want to update dependencies, but only if I 100% sure that the main code doesn't break.

Also, why would I update devDependencies, if it doesn't go into production, anyway?

 

Not saying you must do anything :)
I totally get your point with dev reps. Snyk, for instance, will omit the dev deps by default when scanning. However, you can change that if you like.

On the 100% commit. This is true! But I assume you have tests in place that will cover the critical paths at the very least. However, when a dependency has vulns, you should IMO switch to a fixed version (or another library) and adapt the rest of your application.

Either way, having a solid dependency management strategy in place is crucial.

Code of Conduct Report abuse