A research GitHub Action to check for Unsafe Dependency Changes

[raux]

We would like to recommend an action we created to help Open Source Projects, especially when dealing with code changes that might be unsafe when updating dependencies.

https://github.com/marketplace/actions/depsafe.

Its research in progress.

Asia and Raula.

[MKRhere]

Looking at the source, this warns if a require changes at all, and doesn't actually scan deps?

Does this add anything that snyk.io and dependabot don't already do for us?

[raux]

Actually, you are correct its very easy. All it does is alert the project when a require() function is being introduced with a dependency update. This might be an unsafe practice. Nothing complex.

Thanks for your feedback

Raula

[raux]

even if you dont implement, please provide us feedback from real-projects. Also, we want to also investigate how require() could be unsafe. I am also tagging our researcher and developer of the action @supatsara-wat

[MKRhere]

I don't see how require is unsafe, but import is safe[1]. Because of require.resolve? If so, import is not safe either. I'd say a good security solution should do more than just flag new requires. Maintainers already look for such suspicious changes; we don't blindly merge PRs. Telegraf is in fact in the process of reducing dependencies in its next major version.

[1] Implementing safer alternatives in place of identified unsafe updates

[raux]

thank you for your feedback. As suggested, maybe the idea is to reduce and flag any external dependencies and external sources of code.

Also, tooling to identify opportunities to reduce code is a great recommendation. Thank you for this insight.