dependencies
3 articles with this tag
Running Next.js safely: not falling behind on published CVEs
The top framework risk is neglected published CVEs. Defend with four pillars: judge by the running version, monitor with Dependabot/osv-scanner, update fast, and run least-privilege. ITD's view: indie devs lose not on knowledge but on operational continuity — win with a system that doesn't miss, not with speed.
Log4Shell (CVE-2021-44228) — the night the world feared a bug it couldn't even confirm it had
Log4j's CVSS 10.0 bug. The real fear was the transitive dependency — being affected through a library you didn't know you used. A passive logging path became an attack vector. SBOM, machine-monitoring, fast patching, and following the follow-up CVEs are the lessons.
The XZ Utils backdoor (CVE-2024-3094) — when trust itself was the target
A trusted maintainer planted a backdoor in xz — a supply-chain attack. One engineer's 'this feels slow' caught it just before stable. Code wasn't the target — people and trust were. Minimize dependencies, pin versions, build reproducibly, chase anomalies, and support maintainers.