Security by Deletion

April 28, 2018

I guess there’s a first time for everything, so imagine my surprise when an email from GitHub about a security warning showed up in my Inbox this past week.

Granted, the Node ecosystem has a large number of modules, each with their own dependencies which may have security vulnerabilities from time to time. Nothing really surprising about that…with one exception.

The specific vulnerability is in a sub dependency of a module I don’t control and the supposed fix is to bump the version number in package-lock.json. However, this file is automatically generated by npm install and is a way to ensure you install the correct version of a module. The prevailing opinion, based on what I’ve read, is that tweaking the file on your own is not recommended unless you are really confident in what you’re doing.

My fix? Remove Workbox and rewrite my Service Worker by hand. In total, it’s 63 lines of code, most of which I’d already written for Minima.