Comments (7)
Unfortunately bower doesn't have special procedures for security updates. General guidelines apply.
from bower.github.io.
thanx for answering. what do you mean by general guidelines?
we're in 2015, how can such important basics be missing?
why should anyone use thirdparty stuff in production without security considerations?
from bower.github.io.
Just update frequently, and report security bugs directly to maintainers, instead of on public issue tracker.
What other steps would you like Bower to do?
from bower.github.io.
i do not have the time to upgrade daily and then test everything (and possibly fix). or is this the way all work with bower?
i'd like to have a way to get notified on security issues on (my installed) bower packages. think of it like the debian security-mailinglist. i install packages, and get notified on all security updates published, so i can react and see what packages and where i need to upgrade.
from bower.github.io.
I guess we can create mailing list for important announcements
from bower.github.io.
@toastbrotch Even with NPM, they don't issue security updates. At the time of writing this, you still have to depend on third-party audit modules or apps to notify of new releases.
Having said that, yes that is a feature that should be integrated into core, be it on Bower or NPM
from bower.github.io.
Npm has currently has many tools to check security status of packages (e.g. npm audit or online services like github security checks or snyk checks). We'll also publish CVE for critical security fixes. I've also added SECURITY.md to bower repository which tells to report security issues directly by e-mail. I hope it's enough.
from bower.github.io.
Related Issues (20)
- Issues while installing bower. HOT 8
- Hi Help needed HOT 4
- proxy setting HOT 1
- bower update auth prompt issue HOT 1
- Bower 1.5.3 breaks my build. HOT 1
- "...psst!" message lacks context, is confusing HOT 4
- "bower install", fails due to SELF_SIGNED_CERT_IN_CHAIN HOT 3
- Bower "Satis" (bower registry or private-bower) HOT 3
- 希望能添加一个官方维护的 bower's docker. HOT 1
- Missing version number, version date, dependencies, ... HOT 3
- Unregistering HOT 1
- Doesn't work under fakeroot HOT 2
- bower get wrong HOT 1
- Multiple repositories HOT 1
- Allow to overide https://github.com url used in GitHubResolver
- how can we become a supporter? HOT 1
- I contributed to bower but have not been listed as sponsor HOT 2
- Search Page is broken HOT 3
- Home page recommends using vite but when clicking on how to migrate it references yarn HOT 1
- bower.github.io
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bower.github.io.