This Is How We Use Snyk to Protect Our Open-Source Projects from *Bad* Dependencies

Eldad A. Fux
3 min readNov 11, 2019

--

While working on Appwrite, one of our biggest concerns is our software security. Many developers who choose to use Appwrite are doing so because it offers an end-to-end backend server for web and mobile developers with *built-in* security.

With such a big responsibility, it’s extremely important to us to continually think of ways to protect our code, developers, and users from different security concerns.

Package management and software dependencies have significant advantages for implementing advanced features in no-time, but they also come with a cost. New dependencies can introduce new bugs, security vulnerabilities, and more dependencies that you have little to no control over. At Appwrite, we take the process of introducing new dependencies to our project very seriously.

Before deciding to add a new package, we have to make sure a few things:

  1. The package is actively under development.
  2. The package has extensive usage in the community. Sometimes GitHub stars help us understand this factor, but we are not using this as a rule of thumbs.
  3. The package maintainers are following community best practices like coding standards and version management, and they maintain good documentation.
  4. The package introduces us to no other 3rd party dependencies or as little as possible.
  5. The package has a real value. Building an ‘in-house’ solution that will be more focused and lean is not possible.

These rules are nice and have worked for us to some degree, but are very hard to enforce and maintain over a long period, That’s where Snyk come into the picture.

Snyk has a very cool solution that aims to automatically find and fix open source vulnerabilities and monitors our dependencies constantly. All of these features are available for free with a nice and very open-source friendly free tier plan.

Snyk helps us protect our dependencies in 5 major ways:

  1. Snyk scans for vulnerabilities in our dependencies with every new pull-requests by any of our team members or our ~100 project contributors.
  2. Snyk alerts us in real-time if a vulnerability has been discovered in any of our dependencies.
  3. Snyk automatically sends us pull-requests to keep our project dependencies up-to-date with the latest compatible versions.
  4. Snyk actively sends us suggestions on how to respond to any vulnerabilities found in our packages.
  5. Snyk helps us map and understand Appwrite’s entire dependencies tree, including child dependencies, introduced by our direct dependencies.
snyk-bot? are you there?

With Snyk integrated into our GitHub account, we offer near-real-time protection to our developers with minimum effort required from our core team or project contributors. The only disadvantage we found using Snyk is that the snyk-bot rudely ignores our flirts.

--

--

Eldad A. Fux
Eldad A. Fux

Written by Eldad A. Fux

Entrepreneur, Software Architect, open source enthusiastic and the creator of appwrite.io. You can follow me on twitter: https://twitter.com/eldadfux

No responses yet