mimblewimble/grin

Limit exposure to dependencies weaknesses

Open

#2026 opened on Nov 27, 2018

View on GitHub
 (5 comments) (1 reaction) (0 assignees)Rust (4,876 stars) (991 forks)batch import
good first issuehelp wantedtask

Description

I think we've all had this in mind for quite a while but this was a direct reminder (widely used npm package with newly injected malicious code):

https://github.com/dominictarr/event-stream/issues/116

I don't think we should worry about auditing every single of our dependencies and Rust does a good job at protecting us from some of these attacks. At this stage I'm also not too worried about crates.io getting hacked. But I do think we should at least make sure every single of our dependency is pinned to a specific version.

Contributor guide

Tech stack
rust
Domain
security
Issue type
security
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
Rust basicsCargo.tomldependency pinning concepts
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
The issue calls for pinning all dependencies to specific versions to mitigate supply chain attacks. First, examine the current Cargo.toml and Cargo.lock to identify unpinned dependencies. Then, research best practices for pinning in Rust, such as using exact versions or using `cargo update` to lock versions. The maintainers should decide on a policy and implement it in a PR that updates version specifiers. Consider also auditing if any dependencies already use [patch] or [replace] sections.