-
-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Duplicate packages detected in the ansicolors project on Tag: 4.1.1 #50
Comments
I don't think your issue has any relevance to this package, but I'll answer anyway since I care about the topic.
You can update your criteria to the following: A project is duplicated when identical packages with identical versions exist. Package managers automatically handle this, and builds can be configured to handle advanced de-duping via strategies like tree shaking, or even handling some version mismatches. If you see identical duplicate packages and you don't understand why, you can learn more about this on Stack Overflow, or create an issue with NPM or yarn to let them know that they are not de-duplicating packages correctly.
Please show the research that explains how the "attack surface" grows from duplicate packages, so that we can act on that information accordingly. For example, let's say there is a potential ReDoS vulnerability. How do "hackers get a higher chance of successfully exploiting packages" when the same package appears multiple times? Mathematically this makes no sense as the attack "surface" will most likely stay the same no matter how many times the package exist. Attack "surface" is not the same as attack "vectors". Attack surface is a throwaway term that sounds scary but it's a vague, generalized, non-quantifiable colloquialism. Attack vectors are more relevant. I'd need examples of when duplicate packages create additional attack vectors. I can't see how they would in general, but there might be specific scenarios when they do. You'll need to show those scenarios and explain how this library qualifies as one. Given that, by definition, dependencies can only be accessed through an "API surface" (which is the only surface that matters), no matter how many times a dependency is duplicated, the number of attack vectors will most likely stay the same, unless duplicates somehow increase the API surface, or attackers somehow are able to exploit a package when duplicates exist, but not when duplicates do not exist. Otherwise, mathematically it seems reasonable to assume that it's less likely for an attacker to exploit a vulnerability when duplicates do not exist. Prove me wrong.
Removing unused packages is sound advice. Even better, don't add unused packages to your dependencies to begin with, use a linter to avoid this.
Correlation is not causation, and this doesn't really apply to this package anyway.
This is what you would do, as a user. Your research should focus on encouraging maintainers to do the opposite of what you're saying. Rather than removing a commonly used package, they should search their dependency tree for similar packages that are not depended on as much, and remove those in favor of the one that is used more frequently throughout the tree. This strategy will allow tree shakers and duplication to be more effective. |
Issue: We say a project has duplicated dependencies if any package dependency occurs multiple times in the dependency tree. After analyzing the dependency tree, we have detected duplicate packages in your project.
ansi-colors
object.assign
supports-color
string-width
strip-ansi
ansi-regex
Questions: We are conducting a research study on the duplicated package dependencies in JS projects. We were curious:
For any publication or research report based on this study, we will share all responses from developers in an anonymous way. Both your projects and personal information will be kept confidential.
Rationale: When a JS application depends on too many packages or on multiple versions of the same package, its attack surface can grow dramatically; hackers can get a higher chance of successfully exploiting the vulnerabilities inside those packages (or versions), and escalating the potential damage. The unnecessary and duplicated dependencies can also make JS projects bloat and lead to extra memory/computation overhead. Therefore, JS application developers are recommended to remove unused and duplicated packages from their projects, in order to eliminate the security risks unnecessarily incurred by those dependencies.
Steps to reproduce:
Suggested Solution: Execute the “npm dedupe” command to reduce the number of duplicate packages, or to manually modify package.json files
Resource:
https://docs.npmjs.com/cli/v7/commands/npm-dedupe
The text was updated successfully, but these errors were encountered: