|
Management.  It's an absurd request, IMO. There are some expensive third party tools that will analyze the package dependencies for security issues, I would suggest that. Can't remember the name of the tool our company bought, but it did identify a couple issues. Even worse, the code analysis it did identified a piece of code that had been copied from StackOverflow that apparently was "licensed." We had to remove that code. It actually wasn't even doing anything, lol.
|
|
|
|
|
Thanks Marc
If it's not broken, fix it until it is.
Everything makes sense in someone's mind.
Ya can't fix stupid.
|
|
|
|
|
I would recommend a tool like OWASP Dependency-Check to scan for security problems.
modified 11-Nov-22 12:23pm.
|
|
|
|
|
Kevin Marois wrote: I've never been tasked with a blanket upgrade of ALL packages "to make sure they're secure"
They'll probably change their minds real quick when some newer package introduces problems/vulnerabilities/backdoors.
|
|
|
|
|
This company has a "Just do it and we'll deal with the issues later" mindset
If it's not broken, fix it until it is.
Everything makes sense in someone's mind.
Ya can't fix stupid.
|
|
|
|
|
I would report them to law enforcement. Stupidity like this isn't born overnight. They're clearly ingesting large quantities of illegal substances.
/ravi
|
|
|
|
|
I think there should be a middle ground.
You need to have a procedure to upgrade packages on a continuous basis.
If you start upgrading too many packages at the same time, it will be difficult to detect errors.
Also, you should have testing in place for code related to those packages, no ?
CI/CD = Continuous Impediment/Continuous Despair
|
|
|
|
|
We are in a similar position with log4j. The big LDAP injection bug that was so publicized was introduced in 2.x.
We are still using 1.2.x because who wants to do things like make an LDAP call in the middle of trying to log something? (Some bad actor probably introduced that LDAP feature on purpose! Maintainers succumbed to ridiculous feature creep.)
Management:
1.2.x is no longer supported, update to the version that introduced all of the security holes!
|
|
|
|
|
When I told the guy that just because a package is on NuGet doesn't mean it's secure, I was blown off and told to do it anyway
If it's not broken, fix it until it is.
Everything makes sense in someone's mind.
Ya can't fix stupid.
|
|
|
|
|
Don't tell... say it per email. 
M.D.V. 
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
Połoz - Run Away Jimmy[^]
I'm currently watching the Cyberpunk Edgerunners series.
Haven't played the game, but I heard good things about the series and, indeed, I love it!
Awesome anime with lots of gore and violence 
And a great soundtrack.
Couldn't find the official soundtrack, but I did find a playlist with songs, and Połoz was on it.
Can't remember if it was this particular song, but the song I found impressed me and I've been listening to Połoz for the entire week.
Love this one in particular, so SOTW
Can't find much about the guy, except his Facebook, SoundCloud and Spotify page (so his music, basically).
Real name(?) Piotr Połoz a.k.a. Tsar Poloz, formerly known as Deuce, Polish.
|
|
|
|
|
Quote: Awesome anime with lots of gore and violence
Nie mogę się doczekać.  Może znasz trzy ostatnie litery mojego nazwiska.
|
|
|
|
|
"Can't wait. Maybe you know the last three letters of my last name."
Are they "nce"? 
|
|
|
|
|
"nce"? Surely you're joking Mr. Feynman'ski
|
|
|
|
|
"otr"? I really haven't the slightest what you're hinting at 
|
|
|
|
|
Your original post was of Polish musicians. You correctly translated my post so you know its language. Everyone knows Poles end their surnames w/ "ski". I am re/ "nce" and "otr" but that is nothing new for me here on Lounge as I often see mysterious terminology and references perhaps these are yet more of same.
|
|
|
|
|
|
peterkm wrote: Hans Zimmer - Small measure of Peace | slow relaxing ambient - YouTube
That is slow and relaxing, yet epic as we may expect from Hans Zimmer 
peterkm wrote: Spiral Tribe X Side A 1994 - YouTube
Not bad, started out very well, but got on my nerves near the end.
|
|
|
|
|
Quote: Not bad, started out very well, but got on my nerves near the end.
|
|
|
|
|
|
Das good stuff! 
|
|
|
|
|
|
Always nice when people think of me
I wonder why you get Vietnamese metal bands in your mailbox though
|
|
|
|
|
I am a member of WT.Social They send a weekly grab bag of stuff.
|
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
