HTTP dependency
Severity
High
Short Description
Contains a dependency which resolves to a remote HTTP URL which could be used to inject untrusted code and reduce overall package reliability.
Suggestion
Publish the HTTP URL dependency to npm or a private package repository and consume it from there.
Information
The HTTP Dependency Alert is triggered when a package resolves dependencies from remote HTTP or HTTPS URLs instead of trusted, immutable package registries like npm. This practice introduces significant risks related to security, stability, and reproducibility. Dependencies fetched from URLs bypass the typical vetting and integrity checks enforced by package registries, making them prone to exploitation. Using URL-based dependencies introduces significant challenges, including unpredictability, dependency drift, and the potential for supply chain attacks.
Why HTTP Dependencies are Risky
- Unpredictable Content
- Dependencies fetched via URLs can change without notice, making builds non-reproducible and introducing breaking changes or vulnerabilities.
- Dependency Drift
- Over time, URL-based dependencies may deviate from their initial state, causing inconsistencies that are hard to track and manage.
- Compliance Violations
- Many regulations and industry standards mandate secure, reproducible software supply chains. URL-based dependencies can lead to non-compliance.
- Auditing Challenges
- URL-based dependencies are harder to monitor and audit compared to those in official registries.
Recommended actions
To mitigate the risks associated with HTTP dependencies:
Publish Dependencies to Trusted Registries
- Move URL-based dependencies to secure registries like npm or private repositories. Update project configurations to reference these trusted sources.
Replace HTTP URLs in Configuration Files
- Audit your dependency files (e.g.,
package.json,requirements.txt).
Pin Dependencies to Specific Versions
- Use versioned packages from official registries to ensure stability and predictability. Avoid dependencies pointing to branches or tags that can be altered.
Automate HTTPS Enforcement
- Implement tools or CI/CD scripts to flag and replace insecure HTTP dependencies.
Conduct Regular Audits
- Regularly monitor and review your dependencies for security risks and compliance issues.
Examples
Package: 07-cli
Here's an example of a package with this alert. It is considered a high severity alert in the supply chain risk category.
The alert links to package.json where the Git repo is listed as a dependency:
Detection Method
Socket identifies HTTP Dependency Alerts by analyzing the package configuration files for dependencies sourced from remote URLs. It flags both HTTP and HTTPS connections, emphasizing the risks associated with non-immutable dependencies.