You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am using the latest version of npm-check-updates
I am using node >= 14
New feature motivation
Late Saturday evening I was thinking about lovely ... npm dependencies and their security in particular. And my thoughts seem to be either unusual or simply foolish because I couldn't find anything related in yarn/npm or in npm-check-updates.
When a vulnerability is introduced to an npm package, it takes at least several days to discover the vulnerability and to report the vulnerable release to security databases (npm, Snyk, dependabot, etc.)
Because of that reason, it would make sense for developers to use 3rd party dependencies with version that matches these conditions:
as latest as possible (the obvious one)
free from vulnerabilities, i.e. not present in npm/Snyk/dependabot security databases
X days mature, because of the reason mentioned above - it takes time to discover and report vulnerabilities
New feature description
It would be nice to be able to set the minimal maturity for the version to upgrade, for example, if for the some-cool-package two new versions are available, one was released 10 days ago and another one was released 1 hour ago, it'd be safer to upgrade to the older one because the one that was just released has bigger chance to be vulnerable.
New feature implementation
The parameter which would set minimum maturity required for versions, possibly in days. But the implementation is something to discuss further if what I'm proposing does make sense to you.
Thank you!
The text was updated successfully, but these errors were encountered:
npm-check-updates
node >= 14
New feature motivation
Late Saturday evening I was thinking about lovely ... npm dependencies and their security in particular. And my thoughts seem to be either unusual or simply foolish because I couldn't find anything related in yarn/npm or in npm-check-updates.
When a vulnerability is introduced to an npm package, it takes at least several days to discover the vulnerability and to report the vulnerable release to security databases (npm, Snyk, dependabot, etc.)
Because of that reason, it would make sense for developers to use 3rd party dependencies with version that matches these conditions:
New feature description
It would be nice to be able to set the minimal maturity for the version to upgrade, for example, if for the
some-cool-package
two new versions are available, one was released 10 days ago and another one was released 1 hour ago, it'd be safer to upgrade to the older one because the one that was just released has bigger chance to be vulnerable.New feature implementation
The parameter which would set minimum maturity required for versions, possibly in days. But the implementation is something to discuss further if what I'm proposing does make sense to you.
Thank you!
The text was updated successfully, but these errors were encountered: