现代应用程序使用许多第三方依赖项(库、包),这些依赖项可能包含漏洞或是恶意的。管理依赖项安全 — 扫描、更新和审查它们 — 很重要,因为易受攻击的依赖项是常见的攻击向量(OWASP)。
为什么这很重要:依赖项是您的攻击面的一部分
Apps depend on MANY third-party packages (and their transitive dependencies):
→ a vulnerability in ANY dependency is a vulnerability in YOUR app
→ "using components with known vulnerabilities" is an OWASP Top 10 risk
→ MALICIOUS packages (typosquatting, compromised packages) — supply chain attacks
→ you're trusting/running a lot of code you didn't write.
管理依赖项安全
✓ SCAN dependencies for known vulnerabilities (SCA tools): npm audit, Dependabot, Snyk,
OWASP Dependency-Check → integrate into CI (catch per change)
✓ KEEP DEPENDENCIES UPDATED → patch known vulnerabilities (but test updates)
✓ AUTOMATE → Dependabot/Renovate open PRs for vulnerable/outdated deps
✓ MONITOR → vulnerability databases / alerts for your dependencies
