Question about dependencies

Kirby 3 Solved ✅
1

Hello,

Following the story of the open-source developer who corrupted his own libraries, I wonder if something similar could happen to Kirby? That the core of Kirby is affected by a corrupted dependency?

If this happens, what are the solutions on your side and devs’ side?

Thank you for your feedback.

article

2

Hi @Elisa and welcome to the forum! :wave:

Because of the way we load our dependencies, the probability of something like this happening to Kirby is pretty low. Let’s take a look at the two dependency sources we use:

  • For PHP we use Composer. Every dependency is pinned to a specific version. So unless the developer of such a dependency overwrites a released Git tag with another commit, the code of all dependencies stays the same. It is not possible to corrupt Kirby with a new package version of a dependency. We also commit the dependency code to the Kirby repo and ship it with every release. Each time we update the dependencies, we carefully review the code changes. If you update Kirby from the ZIP file or via a Git submodule, you are protected against unvalidated dependency code. Installation via Composer leaves the small risk of overwritten Git tags. I don’t think such an attack has happened so far in the Composer ecosystem, but if you need your backend code to be fully protected, Composer installation should be avoided.
  • For the frontend we use npm. We don’t pin the dependencies, but we use a package-lock.json and test the frontend before every release. We then ship the tested dist files. Of course we can still miss issues in npm dependencies as we cannot review every single code change of the whole dependency tree.

So in summary, you always get dependency files that have been tested by us before the release. This reduces the risk quite a bit. I’d say that Kirby’s backend code is pretty well protected against such issues and the risk to Kirby’s frontend code is reduced as much as possible.

In case such an issue would occur despite our protection measures, we would release a security update for Kirby as soon as we are aware of the issue.

2 Likes
3

Thank you for this detailed answer!
It’s pretty reassuring:)