I'm curious to hear if anyone else does any due diligence before using open source packages in production? Not anything major - just checking for recent commits / activity, issue logs, etc.
It's interesting to see so many people here checking the code of all their open source packages, so here's my take on it as a security consultant:<p>No, most people don't, they even have a hard time keeping library versions up to date.
Yes.<p>If you work in a secure environment or support critical infrastructure there are teams whose sole purpose is to approve/deny releasing software regardless of who wrote it. Such teams will typically require source code, written justification, senior management signed approval, and test validation. In the case where source code is not provided, such as closed source commercial software, the vendor will be required to accept liability for all losses due to their software as ratified by a signed contract.
I normally read a good chunk, if not all of the code of a dependency before I add it to my projects except in the case of community standard things (in Ruby) such as ActiveSupport or Sequel. Going over a prospective dependency a few months ago bore fruit in proving why you should always do this. NewsAPI is a neat little API for fetching news whose docs just so happen to show a ruby gem. Being the lazy developer I am I’d like to use the gem than build another API client, but before I did that I read the source as one should. Low and behold what do I find but the evil eval in the code for a dirt simple API client. No thanks.<p><a href="https://github.com/olegmikhnovich/News-API-ruby/blob/master/lib/news-api.rb#L47" rel="nofollow">https://github.com/olegmikhnovich/News-API-ruby/blob/master/...</a>
This article might be of interest:<p><a href="https://medium.com/hackernoon/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5" rel="nofollow">https://medium.com/hackernoon/im-harvesting-credit-card-numb...</a>
I am paranoid about security of all those packages, so yes, even before just downloading, I check the authors, activity and read the source code. Not always – e.g. I skip the source code if it's something big AND very reputable AND I decided that I need it such as scala/scala or facebook/react – but I do my best.<p>It's very annoying, it's not free, and it affects what kinds of libraries I use. My projects have fewer and smaller dependencies than typical because of these self imposed constraints.<p>On the upside, borrowing a pattern or a dozen lines of code instead of pulling a dependency that will remain 90% unused is really underrated. As is understanding how things work under the hood.
I would be surprised if anyone has enough resources or willingness to do that for every open source package they are using. For companies that go through auditing, they can CTA by relying on products like Nexus IQ.
Doesn't everyone? That's one of the annoying parts of using other people's code. You have no idea how good or bad it is until you have thoroughly vetted it.
These comments feel skewed. I look for activity and support. Reading the actual code is typically far from my mind.<p>The time-opportunity cost isnt worth it on average