Do you block out time to investigate your dependencies? Do you rely on reporting from a tool? Do you rely on security audits by a third party? Word of mouth?
3 Likes
So far I check who maintains a package, are they well known community members?depending on the area of the package I browse through the source code to understand what it is doing.
Packages with high download counts at least give some assurance that someone will notice if something is wrong.
I regularly use a web proxy analyzer to view which traffic is leaving my app and if there are calls that I don’t recognize.
The good thing is that Dart dependency give you access to its source so it’s harder to hide something compared to some Binary dll.
So far at least I am not aware of any such incidents in the pub ecosystem
3 Likes
Similarly to @escamoteur, I do a some research on any new dependencies I add to a project. This gets you a long way.
Recently, I’ve also started using tools Syft & Grype to scan my dependencies for any known vulnerabilities and Grant to check for any licenses that may not be compatible with my project.
2 Likes
Also relevant:
2 Likes