The benefit of software dependencies is that they allow developers to deliver software faster building on previous code. Dependencies are integral part of the software development cycle and they will be used at different stages i.e. development, execution or testing. Yet dependencies not only may introduce risks that are often overlooked, but their fast resolution and compliance with license types must be taken into consideration. In this extremely fast session we will see some of the advantages of using a mature, robust artifact manager for npm, bower and other package managers

2. All about dependencies
@ixchelruiz — JFrog

3. @IXCHELRUIZ

4. Key

5. Dependencies

6. Dependencies
Software development
Development
Runtime
Test

7. Dependencies
Not all are the same.

8. ixchelruiz
True? Or False?

9. ixchelruiz
“Dependencies are collections containing high-
quality tested code that provides functionality
that required significant expertise to develop. ”

10. ixchelruiz
“Dependency managers like NPM have
made possible that trivial functionality can
be packaged and published”

11. Dependencies
Types of Dependencies

12. ixchelruiz
Types of Dependencies
Frameworks, libraries, packages, modules
and resources.

13. ixchelruiz
Resources
“Collection of files for example templates, media ( audio,
video or images ), plain text files or blobs that need to
be included by applications to execute correctly”

14. ixchelruiz
Module
“Set of methods and functions that provide a self
contained functionality. A module usually has
an interface that specifies both the functionality it
provides as well as the functionality it depends on”

15. ixchelruiz
Package
“A collection of modules that hold in general the same
functional purpose. Usually a directory that contains
a file that describe metadata about the package.”

16. ixchelruiz
Library
“A collection of related functionality defined in several
packages, is essentially a set of functions that you can
call, each call does some work and returns control to
the client or application that executed said function. ”

17. ixchelruiz
Frameworks
“A framework embodies some abstract design, with more
behaviour built in. In order to use it you need to insert
your behaviour into various places in the framework .The
framework's code then calls your code at these points.”

18. Frameworks — Platforms
Key points
• Functionality
• LOC ( size )
• Opinionated
• Integration between functional components
• Roadmap — Versioning
• Licensing
• Tests

19. ixchelruiz
Angular — React
Framework — Platform
Library

21. Perspective

22. ixchelruiz
Key considerations
“Cadence of update, migrations costs or
cleanup efforts”

23. What can possibly go wrong?

24. ixchelruiz
The unknown programmer
“ Adding a dependency outsources the work of
developing that code—designing, writing, testing,
debugging, and maintaining—to someone else”

25. ixchelruiz
NPM
Notable breakages
March 2016: left-pad → unpublish
February 2018: npm version 5.7.0 on Linux → ownership of system
files
July 2018: eslint-scope version 3.7.2 → copied the npm
credentials.
November 2018: event-stream version 3.3.6 (flatmap-stream)
→ stole bitcoins

26. ixchelruiz
NPM
Notable breakages
April 2020: is-promise → outage in serverless applications
January 2022: colors pushed changes → text in an infinite loop.

27. https://jfrog.com/blog/malicious-npm-packages-are-after-your-discord-tokens-17-new-packages-disclosed/
https://jfrog.com/blog/malware-civil-war-malicious-npm-packages-targeting-malware-authors/

28. https://jfrog.com/blog/npm-package-hijacking-through-domain-takeover-how-bad-is-this-new-attack/
https://jfrog.com/blog/how-to-prevent-the-next-log4j-style-zero-day-vulnerability/

29. Dependencies
Tools

30. https://jfrog.com/xray/

31. https://owasp.org/www-project-dependency-track/

32. https://github.com/ossf/scorecard

33. ixchelruiz
Surviving Software
Dependencies
Russ Cox
acmqueue

34. ixchelruiz
Cost of adopting a bad dependency

35. ixchelruiz
Inspect the Dependency

36. ixchelruiz
Inspect Dependency: Design
“Is the documentation clear? Does the
API have a clear design? ”

37. ixchelruiz
Inspect Dependency: Code Quality
“Is the code well written? Does it look like the authors
have been careful, conscientious, and consistent?
Does it look like code you would want to debug?”

38. ixchelruiz
Inspect Dependency: Testing
“Does the code have tests? Can you run
them? Do they pass? Tests establish that
the code's basic functionality is correct”

39. ixchelruiz
Inspect Dependency: Bug
fi
xing
“Issue tracker. Are there many open bug reports?
How long have they been open? Are there many
fixed bugs? Have any bugs been fixed recently?”

40. ixchelruiz
Inspect Dependency: Maintenance
“How long has the code been actively
maintained? Is it actively maintained now?
How many people work on the package?”

41. ixchelruiz
Inspect Dependency: Usage
“Do many other packages depend on this
code? How often others write about
using the project?”

42. ixchelruiz
Inspect Dependency: Security
“Will you be processing untrusted inputs with the package?
If so, does it seem to be robust against malicious inputs?
Does it have a history of security problems listed in the
NVD (National Vulnerability Database)?”

43. ixchelruiz
Inspect Dependency: Licensing
“Is the code properly licensed? Does it
have a license at all? Is the license
acceptable for your project or company?”

44. ixchelruiz
Inspect Dependency: Dependencies
“Does the code have dependencies of its
own? List all the transitive
dependencies”

45. ixchelruiz
Universal Artifact Management
ONE tool at the centre

46. https://jfrog.com/start-free/

47. https://github.com/jfrog/frogbot

48. https://github.com/jfrog/frogbot

49. https://jfrog.com/blog/get-peace-of-mind-about-security-when-deploying-containers-from-docker-desktop/

50. IntelliJ Idea Plugin