1. 16
  1. 10

    I think about dependency ecosystem dynamics a lot, because my job is making Go applications secure, not simply making Go itself technically secure.

    K8s is thankfully an extreme case, and not necessarily an example of best practices given its size, but there are also a few things that help mitigate the author’s concern, and a few things in the pipeline that should help further.

    Worst-case scenario, something malicious could eventually appear in these and make it’s way up into other programs.

    First and most importantly, when a dependency is only a module dependency (like this test dep of a dep) and not a build dependency, it can’t get code into the build, so it can’t become malicious and actually cause damage. All it can do is raise the version of other dependencies, but not replace them (this is why replace directives don’t work from outside the main module!). A way to recognize these is that they have only one line in the go.sum (because their source is never downloaded), and don’t end up in the vendor directory.

    The go mod why command was providing me with nothing.

    Dependencies that don’t affect the build don’t show up on go mod why, although I think they will show up in go mod why -m, which works at the module level rather than package.

    Starting in Go 1.17, a lot of these dependencies that don’t affect the build will get dropped even from the module dependency tree, thanks to lazy modules, a large refactor of how modules are loaded that I am really looking forward to.

    Relatedly, we are working on a first-class vulnerability tracking story, so that known vulnerabilities that affect the build will be easy to identify and remediate, even in a large tree like k8s.

    Finally, I am thinking about what tooling and documentation we could provide to help library and application authors actively manage their dependency trust tree. Maybe a GitHub Action (and CLI tool) to show the changes in dependencies that affect the build? A web UI to explore the graph, filtering for dependencies that affect the build, and highlighting trust domains? I’d love to hear what people would find useful here.