Is updating dependencies frequently still good advice?
-
@Arantor 10 was the last version of windows, windows 11 is another line of OS, called windows core
-
@sockpuppet7 Windows Core started in 10 though…
-
@Arantor said in Is updating dependencies frequently still good advice?:
Windows Core
Based on MS naming from above ... that's the open-source cross-platform version of Windows, right?
-
@cvi WINE?
-
@Arantor said in Is updating dependencies frequently still good advice?:
@sockpuppet7 Windows Core started in 10 though…
It happens frequently if you have a bad hardware driver...
-
Being serious for a moment, some of the drama would be reduced if some of these packages were audited and encapsulated in the parent language.
Leftpd should never have happened for example, because left padding should have been built into the language from the start. (Or, at least, a long time ago.)
I wonder how much cruft you’d save if libraries that primarily fix core language deficiencies were moved into the language, like leftpad.
-
@Arantor That just shifts the focus of the attacks; the supply chain is always a potential attack surface.
-
@dkf sure but if you built things into the language that were sane, you’d have the one attack surface rather than multiple instances of different packages that all do the same job (looking at you, Node)
The aim of course being to reduce the inclination to widen the attack surface with the slightest provocation.
-
@Arantor You're simply asking for someone else to solve your problem. There are plenty of instances where things are left out of languages that shouldn't have been, your left pad example is a good one, but those aren't the majority of our dependencies.
At the end of the day, you either have to write on a monolithic platform (which there pretty much haven't been any of for a long time now), or deal with dependencies. The mature approach is to have a formal dependency vetting program. The organization has to live with the fact that a package updates a lot, introduces bugs a lot, makes breaking changes a lot, or gets abandoned, so the organization is allowed to reject a dependency as too much debt.
-
@Jaime I look at the projects I have at work. A small web site that asks for less than 10 immediate dependencies should not have 3400+ installed libraries according to the package-lock.json file.
This to me indicates something very, very wrong with the ecosystem.
Let me give you some examples from my very current project. These are all dependencies somewhere in the chain, not any of the ones I explicitly indicate.
jridgewell/resolve-uri - accepts a base (so, https://example.com/) and some input and resolves a URI out of that. Given that this is something the web stack must implicitly do, why is it not in the core language?
nodelib/fs.scandir - because Node is apparently that poor at getting a list of files in a local directory that it needs a wrapper library?
nodelib/fs.stat - file status? Primarily for figuring out symbolic links locally? Why is this not core Node functionality exactly?
any-promise - a shim from 8 years ago for supporting ES6 compatible Promises where you can pick a Promise-compatible library for using Promises. “Current known implementations include: bluebird, q, when, rsvp, es6-promise, promise, native-promise-only, pinkie, vow and lie.”
Why do we need so many reimplementations of the same basic idea?
I could go on - there’s plenty more examples just in this project but that’s my point: the ecosystem in Node in particular is fucked and absolutely widens the attack surface for no goddamn reason.
-
@LaoC said in Is updating dependencies frequently still good advice?:
@Jaime said in Is updating dependencies frequently still good advice?:
@dkf You aren't wrong. What I am seeing in the corporate world is people seeing .Net Framework vs. .Net Core as old vs. new rather than conservative vs. ever-changing. [...] So, they blame Microsoft and just keep shipping the out-of-date software.
I wonder why anyone would think that?
.Net Core is approaching 10 years?
Though of course the first .Net Core version worth considering[citation needed] was 3.1, which is from December 2019. Or maybe .Net 5 from about a year later.
-
@Zecc said in Is updating dependencies frequently still good advice?:
@LaoC said in Is updating dependencies frequently still good advice?:
@Jaime said in Is updating dependencies frequently still good advice?:
@dkf You aren't wrong. What I am seeing in the corporate world is people seeing .Net Framework vs. .Net Core as old vs. new rather than conservative vs. ever-changing. [...] So, they blame Microsoft and just keep shipping the out-of-date software.
I wonder why anyone would think that?
.Net Core is approaching 10 years?
Though of course the first .Net Core version worth considering[citation needed] was 3.1, which is from December 2019. Or maybe .Net 5 from about a year later.
Which is actually renamed Core, isn't it? It got a whopping 19 months from release to EOL.
-
@Arantor said in Is updating dependencies frequently still good advice?:
This to me indicates something very, very wrong with the ecosystem.
Of course it is. The only thing you can control is your participation.
You have two choices:
- Deal with the mountain of dependencies.
- Choose another ecosystem
You are complaining about the fact that an environment that encourages public participation and moving fast creates conditions where things are always changing all around you and much of it is maintained by a teenager working part time without pay. That's what anything from the npm ecosystem is if you don't impose a curation layer.
Your alternative is one of the many enterprise focused platforms. J2EE gets picked on a lot and deserves much of it, but it's pretty comprehensive and is maintained by grown ups. I've mentioned .Net Framework a bunch of times, but you get get a long way with .Net Core using only Microsoft's packages. You still have breaking changes and abandoned packages, but your life will be better than what you have described. I'm sure there's thirty other suitable choices that have yet to be mentioned on this thread.
-
@Jaime said in Is updating dependencies frequently still good advice?:
is maintained by grown ups
@Jaime said in Is updating dependencies frequently still good advice?:
The only thing you can control is your participation.
You have two choices:
- Deal with the mountain of dependencies.
- Choose another
ecosystemjob
Damn right I'm complaining.
-
@Jaime considering that I’m writing the app in PHP and got this shit foisted on me in passing, no.
It’s a web app. It has web shit on the front of it. Which means I’m fucking doomed, forever, to deal with this clusterfuck of an ecosystem because every fucking thing in it relies on Node even when it’s not a Node app.
-
@Arantor said in Is updating dependencies frequently still good advice?:
jridgewell/resolve-uri - accepts a base (so, https://example.com/) and some input and resolves a URI out of that. Given that this is something the web stack must implicitly do, why is it not in the core language?
It is. https://developer.mozilla.org/en-US/docs/Web/API/URL_API (see the 2-parameter constructor)
-
@TwelveBaud ah so one of the bullshit dependencies I never asked for is redundant entirely but no one has yet been bothered to replace it. Wonderful.
-
@Jaime said in Is updating dependencies frequently still good advice?:
J2EE gets picked on a lot and deserves much of it, but it's pretty comprehensive and is maintained by grown ups.
I was thinking about that platform at the beginning of this week, whe the xz affair blew up. Is it immune? Declarative build systems are certainly easier to audit... except who really knows what is going on inside a Maven or Gradle plugin, and there remains a lot of "just call out to this shell script, bro" stuff hidden behind the scenes. I've also looked behind the scenes a bit with MSBuild and Meson...
When I said that we are all doomed, I wasn't joking. Nobody has tackled the problem (and it is a very tough problem to tackle).
-
@Applied-Mediocrity said in Is updating dependencies frequently still good advice?:
@Jaime said in Is updating dependencies frequently still good advice?:
is maintained by grown ups
@Jaime said in Is updating dependencies frequently still good advice?:
The only thing you can control is your participation.
You have two choices:
- Deal with the mountain of dependencies.
- Choose another
ecosystemjob
Damn right I'm complaining.
sometimes applying mediocrity as your username say (and pretend you're not aware of the problem) sound like the way to keep your sanity
-
@sockpuppet7 said in Is updating dependencies frequently still good advice?:
keep your sanity
-
@dkf said in Is updating dependencies frequently still good advice?:
@Jaime said in Is updating dependencies frequently still good advice?:
J2EE gets picked on a lot and deserves much of it, but it's pretty comprehensive and is maintained by grown ups.
I was thinking about that platform at the beginning of this week, whe the xz affair blew up. Is it immune? Declarative build systems are certainly easier to audit... except who really knows what is going on inside a Maven or Gradle plugin, and there remains a lot of "just call out to this shell script, bro" stuff hidden behind the scenes. I've also looked behind the scenes a bit with MSBuild and Meson...
When I said that we are all doomed, I wasn't joking. Nobody has tackled the problem (and it is a very tough problem to tackle).
With all the nasty things lombok must be doing under the hood, I don't doubt java is vulnerable.
-
@dkf said in Is updating dependencies frequently still good advice?:
I was thinking about that platform at the beginning of this week, whe the xz affair blew up. Is it immune?
I only said "maintained by grown ups". Grown ups can't solve hard problems by snapping their fingers, but children just pretend they don't exist. Or at least pretend that the invulnerability of youth will protect them.
I agree that we are all doomed. As in, we are all doomed to the fate that we very well might be a victim of a cyberattack due to no fault of our own, even if we make all of the right choices.
But that doesn't mean to give up. Rather it means to minimize our risk to the best of our capabilities within the means of our organizations. Either stay the hell away from npm, or do the work - update your dependencies and fix the bugs that are caused. That's not a guarantee or a panacea, but it's the responsible thing to do.
It also forces us to understand the hidden costs of an ecosystem. If you actually do the work - and it turns out to be more costly than you expected, then you have learned something. Use that new information next time you select a package to be a dependency.
In @Applied-Mediocrity's situation - well, someone else made the bed and you have to sleep in it. Does it really matter if more of your eight hour's pay goes to keeping up to date? If your employer insists that you don't spend that time, then it's just a time bomb waiting to explode. You decide if you want to be there when it does.
Electrician's don't run fewer circuits just because their bosses tell them too. Engineers don't specify smaller trusses just to bring in more profit. Doctor's don't skip treatment because the patient is probably going to die anyways. All of the things occasionally happen, but in these case, we don't blame the external pressures, we blame the people making the choices.
-
@Jaime said in Is updating dependencies frequently still good advice?:
stay the hell away from npm
Oh, I do, I do! I stay away from anything related to Node or JS.
-
@HardwareGeek said in Is updating dependencies frequently still good advice?:
@sockpuppet7 said in Is updating dependencies frequently still good advice?:
keep your sanity
In a small locked box way back on a high shelf.
-
@Watson said in Is updating dependencies frequently still good advice?:
@HardwareGeek said in Is updating dependencies frequently still good advice?:
@sockpuppet7 said in Is updating dependencies frequently still good advice?:
keep your sanity
In a small locked box way back on a high shelf.
For some, that box can be much smaller than others.
-
@HardwareGeek said in Is updating dependencies frequently still good advice?:
@Jaime said in Is updating dependencies frequently still good advice?:
stay the hell away from npm
Oh, I do, I do! I stay away from anything related to Node or JS.
I remove all JS from my toy project and rewrote it in rust, but then:
@loopback0 said in Is updating dependencies frequently still good advice?:
using Rust was never good advice
-
@sockpuppet7 quoted @loopback0 in Is updating dependencies frequently still good advice?:
using
Rusta computer was never good advice
-
@dkf said in Is updating dependencies frequently still good advice?:
I've also looked behind the scenes a bit with MSBuild and Meson...
Care to elaborate on the latter?
I’ve only briefly looked at Meson. I’m probably not going to use it, just because so much tooling etc. naturally concentrates on “de facto” standards, so picking it seems like betting on the wrong horse.
But just from superficially looking at it, it seems so much nicer and better designed than the abomination that is cmake.
-
@topspin said in Is updating dependencies frequently still good advice?:
But just from superficially looking at it, it seems so much nicer and better designed than the abomination that is cmake.
I only looked superficially too, in part because the documentation is structured in such a way as to be very hard to get an overall view, but I noted that it definitely has the ability to call out to other build systems. Papering over the sins doesn't help at all.
-
@dkf but the question then is: is that easy to spot / search for, or is that usually buried in incomprehensible nonsense?
-
@topspin The real trick is whether you can determine that what you are auditing is the same thing that is security-tricky and that needs the audit. That was part of the real nasty sting in the xz stuff; the flaws in xz were only exposed in the distribution tarballs, and were concealed in the source tree, and sshd was only targetable at all by this because it was being patched to be so by Linux distro makers.
-
@HardwareGeek said in Is updating dependencies frequently still good advice?:
@sockpuppet7 said in Is updating dependencies frequently still good advice?:
keep your sanity
Can't keep what you never had.
-
@Arantor said in Is updating dependencies frequently still good advice?:
@Jaime considering that I’m writing the app in PHP and got this shit foisted on me in passing, no.
It’s a web app. It has web shit on the front of it. Which means I’m fucking doomed, forever, to deal with this clusterfuck of an ecosystem because every fucking thing in it relies on Node even when it’s not a Node app.
Meh. No ISVM report, no problem!
-
@boomzilla said in Is updating dependencies frequently still good advice?:
@Arantor said in Is updating dependencies frequently still good advice?:
@Jaime considering that I’m writing the app in PHP and got this shit foisted on me in passing, no.
It’s a web app. It has web shit on the front of it. Which means I’m fucking doomed, forever, to deal with this clusterfuck of an ecosystem because every fucking thing in it relies on Node even when it’s not a Node app.
Meh. No ISVM report, no problem!
I did wonder at first what the International Society for Viruses of Microorganisms had to do with it - plenty of packages in the ecosystem qualify as microorganisms.
Then I remembered the IT version, and left myself a note to run
npm audit
on Monday to see if my ecosystem has gotten a vulnerability this week.
-
@Arantor said in Is updating dependencies frequently still good advice?:
@boomzilla said in Is updating dependencies frequently still good advice?:
@Arantor said in Is updating dependencies frequently still good advice?:
@Jaime considering that I’m writing the app in PHP and got this shit foisted on me in passing, no.
It’s a web app. It has web shit on the front of it. Which means I’m fucking doomed, forever, to deal with this clusterfuck of an ecosystem because every fucking thing in it relies on Node even when it’s not a Node app.
Meh. No ISVM report, no problem!
I did wonder at first what the International Society for Viruses of Microorganisms had to do with it - plenty of packages in the ecosystem qualify as microorganisms.
Then I remembered the IT version, and left myself a note to run
npm audit
on Monday to see if my ecosystem has gotten a vulnerability this week.What are we going to do today, @Arantor?
The same thing we do every Monday, Dashie.
Oh boy, checking npm for vulnerability reports!