Vulnerabilities in transitive packages/dependencies

[creativesuspects]

I'm wondering which approach Umbraco takes and advises regarding vulnerabilities in transitive packages/dependencies?

[bergmania]

Hi @creativesuspects.

It depends..
Usually if there is a vulnerability in a direct dependency we will update it. If it is a nested dependency and Umbraco is not restricting you somehow from updating it yourselves, we will wait for when our dependency is updated.

[creativesuspects]

@bergmania Thanks for the quick reply. Just to get our terminology straight:

1. Developer project
  > 2. Direct project dependency (in this case Umbraco)
    > 3. Direct Umbraco dependency = Transitive project dependency
      > 4. Transitive Umbraco dependency

So when there's a vulnerability in a transitive Umbraco dependency (4) which can be updated by the project developer (1) Umbraco waits for the maintainer of the direct Umbraco dependency (3) to update the vulnerable transitive Umbraco dependency. Correct?

So Umbraco does not update any vulnerable transitive Umbraco dependencies (4) effectively making them a direct Umbraco dependency (3)?

In your experience what is the risk of upgrading the transitive dependencies in the developer project, since this could potentially introduce compatibility issues and/or breaking changes.

[bergmania]

Correct..

My experience is there is no risk updating on the developer project, as long as you keep to the same major version of projects using SemVer (Most of them).