We all start out with good intentions but these often fall by the wayside as the competing priorities of feature delivery come to the fore.
Refactoring, bug fixes, planned deprecations and defined upgrade paths are a discussion for another day.
Currently, one of the biggest security issues developers face is outdated third-party dependencies. Staying on top of these can be a Sisyphean task. GitHub’s Dependabot is a fantastic step forward but you can also use an audit step in your pipelines and git hooks; don’t commit – or deploy – anything known to be insecure.
I only recently discovered the
npm audit fix
The tool comes in two parts. One to use during development –
These dependency updates can – and should – be automated. To help faciliate this, it’s important to also have robust automated testing in place in your pipelines that can give you confidence that these updates don’t result in any unintended consequences.
However, not everything can be covered by automation. For example, is the project documentation still up to date? Check it over – regularly. You can at least automate reminders about the management of these review tasks by creating recurring events in your team calendar and setting an alert to raise them in the relevant stand ups to ensure that they get actioned. Once completed, update a review log in the project repository accordingly with any resulting findings recorded, along with the date for when the next review is scheduled.
#dev #documentation #security #work