> <
https://docs.google.com/document/d/1tOA2aeyjT93OoMv5tUMhAPOkf4rF_IJIHCAoJlwmDHI/edit?usp=sharing>,
>
> It would be good to document the security implications of this approach.
> By using Node we will probably inherit a large number of third-party
> dependencies. Although we could use a service such as the Node Security
> Platform [1] to determine the security status of these dependencies,
> regular monitoring and upgrading will be needed to ensure that we do not
> introduce vulnerabilities into our build process.
>
>
> This is an excellent point, and I will add a section into the "Intent to
> require Node to build Firefox 61" document discussing it.
Great.
> There is a separate but related sibling proposal that has not yet left a
> small working group that aims to make vendoring into mozilla-central
> more uniform and more automated. That proposal directly addresses the
> security story around vendored third-party dependencies and their
> transitive dependencies -- in fact, it's a motivating force behind that
> proposal. We (folks behind the Node proposal) are actively working with
> the folks behind this sibling proposal to ensure that we have a workable
> solution to upgrading Node dependencies across the tree in a timely
> manner in the face of security updates.
Looking forward to hearing more.
> Thanks for sharing the
nodesecurity.io <
http://nodesecurity.io> service
> -- I'll read more as I add the section.
There a few other services like that (e.g., Snyk, SourceClear), I just
happen to know NSP best because I've used it at previous companies.
Peter