Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security issues, security advisories, security updates how? #92

Closed
toastbrotch opened this issue Dec 1, 2014 · 7 comments
Closed

security issues, security advisories, security updates how? #92

toastbrotch opened this issue Dec 1, 2014 · 7 comments

Comments

@toastbrotch
Copy link

to let bower run in a production environment how are security issues, security advisories, security updates handled, notified, ...? could not find any information to security at all....

@sheerun
Copy link
Contributor

sheerun commented Aug 13, 2015

Unfortunately bower doesn't have special procedures for security updates. General guidelines apply.

@sheerun sheerun closed this as completed Aug 13, 2015
@toastbrotch
Copy link
Author

thanx for answering. what do you mean by general guidelines?
we're in 2015, how can such important basics be missing?
why should anyone use thirdparty stuff in production without security considerations?

@sheerun
Copy link
Contributor

sheerun commented Aug 14, 2015

Just update frequently, and report security bugs directly to maintainers, instead of on public issue tracker.

What other steps would you like Bower to do?

@toastbrotch
Copy link
Author

i do not have the time to upgrade daily and then test everything (and possibly fix). or is this the way all work with bower?

i'd like to have a way to get notified on security issues on (my installed) bower packages. think of it like the debian security-mailinglist. i install packages, and get notified on all security updates published, so i can react and see what packages and where i need to upgrade.

@sheerun sheerun reopened this Aug 16, 2015
@sheerun
Copy link
Contributor

sheerun commented Aug 16, 2015

I guess we can create mailing list for important announcements

@riyadhalnur
Copy link
Member

@toastbrotch Even with NPM, they don't issue security updates. At the time of writing this, you still have to depend on third-party audit modules or apps to notify of new releases.

Having said that, yes that is a feature that should be integrated into core, be it on Bower or NPM

@sheerun
Copy link
Contributor

sheerun commented May 6, 2020

Npm has currently has many tools to check security status of packages (e.g. npm audit or online services like github security checks or snyk checks). We'll also publish CVE for critical security fixes. I've also added SECURITY.md to bower repository which tells to report security issues directly by e-mail. I hope it's enough.

@sheerun sheerun closed this as completed May 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

3 participants