3

When checking third party libraries used in package.json and build.gradle files with tools such as Snyk, they allow the option to check for devdependencies. A lot of the time there is vulnerabilities for these dependencies. But if they are not shipped and only used for testing is there any risk with not updating them?

This Snyk blog says that "dev dependencies matter little". So I am looking for confirmation that this is the case, as they are not tested by default.

Anders
  • 64,406
  • 24
  • 178
  • 215
vegedezozu
  • 93
  • 8

2 Answers2

4

They matter. Not updating libraries and dependencies will leave your software vulnerable. Each one of the libraries is part of the attack surface.

Unless an update breaks your code, update as soon as the update is available. If the update breaks your code, patch the code and update. But never leave any outdated library with security bugs in your projects. Even if used only for development. If one day you forget to disable them, you are in danger.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • This isn't a very compelling argument. Dev dependencies typically aren't even installed in production. – Ajedi32 Oct 04 '18 at 16:25
  • Usually they are not. But it takes one forgotten `Makefile` to bring outdated libraries to the release version. – ThoriumBR Oct 04 '18 at 16:59
  • 1
    I disagree, even though devDependency aren't shipped, consider you are using my package as a devDependency, and I run a little something in my post install hook, my perfect crime would be to hook into webpack, and patch it! yeah, now when you run npm run build, I attach a vulnerable piece of code which will be a part of your bundle now. Imagine how difficult it would be to detect this? If I only target for mobile apps which deal with bitcoin? – Nishchal Gautam Oct 14 '20 at 12:46
  • @NishchalGautam and that already happened some time ago... – ThoriumBR Oct 14 '20 at 12:56
4

That depends on what the dependencies are and what they're used for.

Even if a dependency isn't used in production, if it's used as part of your build process, for example, then its possible that it might contain a vulnerability that affects your production code.

Similarly, a vulnerability in a development tool could potentially allow attackers to compromise your development PC if that tool processes untrusted input data or connects to remote servers.

So while it may indeed be true that most "vulnerabilities" in development dependencies don't have any notable security impact, unless you're manually assessing each identified vulnerability to determine its impact on your project its probably best to just keep everything up to date. There's little downside, and newer versions of development tools usually have lots of other benefits besides just better security.

Ajedi32
  • 4,637
  • 2
  • 26
  • 60