logo TeddyDD

Oh No! My dependency has a vulnerability

Quick reminder in context of Log4j RCA that caused quite a lot of havoc in Java ecosystem:

You are responsible for dependencies you are introducing to your project.

Recursively. So if you add dependency X that depends on Y you are responsible for both packages.

Unless you have contract with the vendor, it’s your job to audit the dependency and make sure it’s safe to use. It’s your job to respond to vulnerabilities. It’s your (or your managers) fault if RCA like this affects your software..

But Teddy, you can’t expect me to audit 170kLOC of logging library?

Yes I do. If you can’t - use printf instead. Event better - convince your company to hire someone, to work on the dependency full-time.

One thing I expect you to NOT do is to whine and harass people who maintain piece of FOSS software.

So if you are one of people @yazicivo talks about - do the right thing and go fuck yourself off a cliff.