implement procedure for updating dependencies

[chadwhitacre]

This story also high-lights the dangers of libraries being backdoored. If the Requests library did have malicious code inserted into it, there are likely many developers and CI systems that would have pulled this and ended up executing it on production systems for other companies. The best mitigation against an attack like this is to locally host your own package repos, such that hopefully there is enough of a delay between the attack occurring and it being discovered that your local repos will not have been updated with the malicious code. Doing this however, requires vigilance in updating the repo to ensure any security related patches are pulled.

https://summitroute.com/blog/2016/08/14/downclimb/

We "locally host our own package repos" (by simply including tarballs in Git), but we don't have a good procedure in place for "updating the repo to ensure any security related patches are pulled." Let's make one! :)

[EdOverflow]

A tool like snyk.io could help.

[chadwhitacre]

E.g.: gratipay/gratipay.com#4369.

[EdOverflow]

I just gave snyk.io a go and I am amazed at what it detected. There are multiple vulnerable dependencies in most of our repositories. Snyk.io can also submit PRs to patch vulnerable dependencies.

For our python dependencies we could use https://pyup.io/. I also gave that a go and it found a couple of issues too.