Secure Dependencies

[ghost]

- Do you want to request a feature or report a bug?
Feature

- What is the current behavior?
In #456 we noticed there were quite a few dependencies with this project—which I attribute to JS lacking many of the affordances provided for languages like PHP. And though not all dependencies are used in the production bundle many are, and some may be susceptible to attack vectors such as XSS or others defined by NPM/OWASP/etc.

- If the current behavior is a bug, please provide the steps to reproduce.
Not a bug per se, but an effect of using a micro-dependency approach common in Node apps and has some pitfalls in that project deps may catch a vulnerability before having a chance to get patched in the downstream repos and forks.

- What is the expected behavior?
Help protect project users by implementing or making more visible any potential security vulnerabilities in project deps. In the past I'd done this with Snyk.

My personal experiences with Snyk were that it made patching known security vulnerabilities easier for the community by allowing them to be applied to individual projects even before upstream deps updated—this is performed through feedback during development and weekly emails from Snyk for those subscribed.

New advancements in NPM and Yarn may mitigate the needs or open new opportunities. So I'm not sure if Snyk is still the preferred approach to tackling monitoring of micro-libraries within Node apps.

- Please mention your node.js, and operating system version.
All the nodes!

[ghost]

Looks like Snyk also has some badge action going on too. Noice! https://snyk.io/docs/badges

[tech4him1]

@JHabdas Thanks for making this issue, I have also used Snyk before and think it or something similar would be a excellent idea for this project.

[martinjagodic]

Closing as stale/outdated.