from Hacker News

Ask HN: Why is open source vulnerability management still an unsolved problem?

by kjok on 8/3/23, 12:17 AM with 1 comments

Asking this again, hoping to get more responses this time.

We saw many startups (including YC) recently working on open source vulnerability discovery and patching. Curious to understand why this is still an unsolved problem when Dependabot (and other similar tools) can do this fairly well. Where specifically do the existing tools fail? Appreciate your insights.

  • by 8organicbits on 8/3/23, 1:07 AM

    Developers are hesitant to upgrade anything that's not being actively developed as updates can break things and automated testing either doesn't exist or isn't sufficient. Knowing when it's safe to ignore an update is also hard. Many vulnerabilities apply only to specific configurations, so you'd need to know review the description carefully, then track (somehow) that why you think you can skip it.

    Dependabot specifically handles updates in a very lazy way. It submits a PR per dependency, so you'll often find 5-10 open PRs that really should be a single 'npm audit --fix' patch or similar.

    My approach is to have great automated testing, then trust that updating dependencies is safe if the tests pass. There's still danger here with malicious dependency updates, unfortunately.