Security of packages

[beguene]

This is to start the discussion about the security of our javascript packages and dependencies.
Currently we lock the packages using yarn.lock but it still fetches from npm which could be vulnerable.
We might need to have a stronger locking mechanism to prevent 'software supply chain attack'
We can explore tools like https://github.com/LavaMoat/LavaMoat or build our own

[andresgalante]

Apart from security concerns, what else would you look for to vet dependencies when we choose them?

[beguene]

I would evaluate the upside of including the package with a bias for NOT using the package if possible (build our own, use native browser solution etc..)
Besides we can:

• Prefer a package that we already used and vetted before (in another project)
• Consider to number of dependencies of that package, the lower the number the better
• Assess the quality of the author/company
• Look at the longevity: the older the better (in general)
• Check popularity (of usage ,not stars)
• Check quality of the code and docs
• Look for included binaries (can hide malicious code)
• Check if it's actively maintained