-
Notifications
You must be signed in to change notification settings - Fork 685
Dependency Update Policies
This document describes the process for updating SecureDrop dependencies. Since dependencies are run in the production environment, care should be taken when adding or updating dependencies to minimize risk. The following guidelines describe the process for adding or updating dependencies, and they should be followed by the PR author or reviewer at the time of PR review. Authors of PRs are encouraged to perform the investigations described below when updating or adding dependencies, and post the results of their investigation on the PR. Avoid if possible putting all the burden of dependency review on the PR reviewer. Please note that the following guidelines do not apply to dev or test only dependencies.
Before a new dependency should be added, a review should be performed. The following factors should be considered:
- Is this dependency well-maintained? Are there recent commits or releases? Are high priority bugs on their bug tracker responded to and fixed?
- How secure is this dependency? Have there been vulnerabilities reported in the project before? How have they responded? Do any of its dependencies have known CVEs? In lieu of a full code review (which might be a high burden), one might also run bandit static analysis on the Python dependency, are there high severity issues?
- How popular is this dependency? How many GitHub stars does it have? Do other well-known projects depend on it? One can look at the GitHub dependency graph, e.g. Flask, in order to see the number of projects that use the dependency. By relying on well-known, widely-used dependencies, we benefit from the many eyes that should be evaluating it.
When updating a dependency, one should:
- Review the changelog: were any high-risk areas of the code modified? Were bugs with security implications fixed?
- Review the diff: Perform a timeboxed review of the diff. Are there any concerning areas (primarily in terms of security)? One can use the diffoscope tool from https://try.diffoscope.org/ locally to view the diffs in the source code.
These same processes should be followed for the dependencies of the dependency highlighted in the diff. For Pipenv-based projects, they will appear in the updated Pipfile.lock.
Recall that updating packages on FPF’s PyPI will be done at release time, not at the time of PR merge. Also note that FPF’s PyPI is currently used for Python projects built from the debian packaging repository, namely securedrop-proxy and securedrop-client.