Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Researcher Breaches Systems of Over 35 Companies, Including Apple, Microsoft, and PayPal
- Thread starter MacRumors
- Start date
- Sort by reaction score
What developer turns on auto updates of things like NPM, Composer, etc.? In my books that’s a fireable offense.
It's very common (notice I said common, not smart) that dependencies are not checked into source control with the project, but instead are installed at the time of deployment, so e.g. files are copied to the server, and then composer/npm/etc are run to install dependencies based on the project configuration (which is part of the source control repo, and thus gets deployed).
Some will use "lock" files to only install a very specific version at deployment time, but given that they were internal libraries, it's possible they had no such limiting factor.
Like I said earlier, vendoring dependencies (i.e. you commit your dependencies to your own source control, so changes are trackable and reviewable just like your own code) is a pretty simple way to avoid a whole host of potential problems when relying on third party dependencies.