-
-
Notifications
You must be signed in to change notification settings - Fork 7.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I am worried about safety. Any chance to remove dependencies? #5180
Comments
Hi there @dmitriz, We are really concerned about dependencies since we are a huge target for hackers trying to steal apikeys and secrets. Ideally we would want to have zero dependencies.
Agreed. I can't find any uses of
|
This is a an example of what we do: #4873 By absorbing the code into ccxt they no longer have the permissions to change it, so I made a static_dependencies folder for just that :P |
@frosty00 thx! @dmitriz Also, check out how package dependency lock files work in npm, PyPI and other packagers:
By locking those version numbers the entire dep-version-tree is finalized, therefore to hack into the existing version, you will have to break npm or PyPI. Therefore we keep those versions locked as much as we can. And, as @frosty00 noted, we're also including "vendored" code into the lib to lower potential risks. Let us know if the above doesn't answer the question, basically the short answer is: yes, we have the same concerns, therefore we are working on the safety aspects as well. This lib is MIT, however, so it comes with no warranties to be used at your own risk. You should never rely on someone for checking your security – always make sure yourself. Closing this for now, feel free to reopen it or just ask further questions if you have more. |
Great to hear, thanks!
If it is not even used, it should be even easier to remove.
Would be great but at least it is currently actively maintained, while the ponyfill is not. |
Yes, locking versions in the lock files helps too. But it does not help against hidden malicious dependency upgrades whenever the Of course, including the code closes that hole, so prob. the best way to go. In the PR you mentioned the accompanying problem of enlarging the build size of
Indeed, checking my own security is why I have started this thread :) |
I should add, including deps locally and removing the dep is the most secure. |
Also note that |
@dmitriz thx for your considerations and comments. BTW there's also a new feature on GitHub that addresses this aspect: |
The whole point is that by then we will have all our users funds stolen and our reputation destroyed... Also paranoid users may be more inclined to use our package if it has no dependencies. |
You are welcome. :)
The way I understand, it would only display warning when someone already reported a problem. |
remove opencollective dependency #5180
After the high profile
event-stream
incident demonstrating the amount of risk to rely on 3rd party dependencies, see e.g.https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
and
dominictarr/event-stream#116,
I had to look at this library dependencies. Being a major package with 400k downloads weekly, it clearly seems like attractive target for hackers to exploit this vulnerability, which should be a matter of when rather than if, so I was wondering about what it would take to close this vulnerability hole.
At present
https://www.npmjs.com/package/ccxt
lists 3 dependencies:
from which the first 2 were last published 2 years ago (!!) and the last 1 year ago!
The most worrying one is
opencollective
carrying 6 further dependencies of its own:at least one of which is declared deprecated (https://www.npmjs.com/package/opn).
The question here is -- to what extent
opencollective
is critical and any chance to remove it?The other dependency, 1 year old package
fetch-ponyfill
seems just to be a tiny wrapper aroundnode-fetch
:https://github.com/qubyte/fetch-ponyfill/blob/master/fetch-node.js
The
node-fetch
seems to be actively maintained, so the question is -- any chance to copy-paste the required small code fromfetch-ponyfill
and replace it withnode-fetch
?The last dependency,
crypto-js
https://www.npmjs.com/package/crypto-js, seem like a major actively downloaded package, which however doesn't seem to be actively maintained being last published 2 years ago. Again, the question is whether it would be feasible to directly import this relatively small library rather than keeping as 2 years old dependency.The text was updated successfully, but these errors were encountered: