Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Update to the minimum version with no security vulnerabilities of a certain severity #1475

Open
norcino opened this issue Nov 5, 2024 · 5 comments
Open

Feature Request: Update to the minimum version with no security vulnerabilities of a certain severity #1475

norcino opened this issue Nov 5, 2024 · 5 comments
Labels
enhancement

Comments

@norcino
Copy link

norcino commented Nov 5, 2024

It would be nice to have an option like --min-secure "severity", to allow a safer and quicker upgrade if security issues are found within the dependencies.

For example if I specify --min-secure high, the tool should list the next available version to upgrade to, which is not affected by any issue with severity high or critical.
@raineorshine
Copy link
Owner

Hi, thanks for the suggestion.

I have a question. When you say "next available version," what did you have in mind? Since the default behavior of npm-check-updates is to update the dependency to the latest version, there is no "next" version. Are you using other options to limit the version number?

@norcino
Copy link
Author

norcino commented Nov 5, 2024

Hi
I mean the minimum version to update to, in order to have no security issues.

For example, assuming my application..
Current version: 1.0.0 (Affected by a high security issue)
Lowest version with no security issues: 1.0.19
Last version: 1.3.0

Using the --min-secure, should suggest me to update to 1.0.19 instead of 1.3.0.
This would help me mitigate the risk of me breaking something during an upgrade.

To give you context, in a "SDL Secure Development Lifecycle", during each sprint we ask teams to work on a small security item, to review, fix, prevent and so on.
A team could work to remove at least "critical" findings, if this could be done potentially quicker and with less risk of introducing issues, or requiring to address breaking changes.
Upgrading a patch or minor version generally require much less effort.

@raineorshine
Copy link
Owner

I see! And if 1.0.20 also had no security issue, would you want to upgrade to 1.0.19 or 1.0.20?

@norcino
Copy link
Author

norcino commented Nov 5, 2024

Very good question.
Shall we truest the package development team to properly use semver?
Yes it would be fine I guess.

@raineorshine
Copy link
Owner

So I think in that case what you're looking for is the maximum secure version, rather than the minimum.

I'm not sure how to access the security vulnerabilities, but it sounds like a good suggestion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@raineorshine @norcino