Process for managing dependencies

[wemeetagain]

Is your feature request related to a problem? Please describe.

We want to be less vulnerable to "supply chain attacks", maliciously updated dependencies. (example here)
We want to have more assurances about the dependencies that we use and when we upgrade.

Describe the solution you'd like

Put more thought into the process around dependency selection and upgrades.
May result in revised internal team process or no action if current process is sufficient.

[dapplion]

If we lock a dependency to an exact version "some-dep": "0.1.0", but some-dep depends on a range: "bad-dep": "^1.0.0" and bad-dep gets compromised, are we vulnerable?

[frankiebee]

My gut instinct says yes but this is a curious question you have proposed y'all are using yarn?

[frankiebee]

I see you are using yarn. Running yarn audit regularly can help some with security risks and adding it as test suit would be good. It would be best to be over paranoid in this situation and may be good to start thinking about how best to trim down your dependencies or at least look into isolating them.

If we lock a dependency to an exact version "some-dep": "0.1.0", but some-dep depends on a range: "bad-dep": "^1.0.0" and bad-dep gets compromised, are we vulnerable?

the answer is yes you are still vulnerable if you dont have this in your yarn.lock. yarn.lock's mostly fix this issue

[wemeetagain]

offline convo: @frankiebee also says we need an up to date yarn version and enforce a minimum yarn version

[dapplion]

the answer is yes you are still vulnerable if you dont have this in your yarn.lock. yarn.lock's mostly fix this issue

However if a consumer installs lodestar via NPM the yarn.lock does not help :(

[frankiebee]

you shouldn't mix package managers include in the read me that you need yarn

[frankiebee]

warning package-lock.json found. Your project contains lock files generated by tools
other than Yarn. It is advised not to mix package managers in order to avoid resolution
inconsistencies caused by unsynchronized lock files. To clear this warning, remove
package-lock.json.

[frankiebee]

I would go as far as to throw in a preinstall script to use yarn.