Investigate more robust dependency management for high-impact dependencies
mgwalker opened this issue · comments
Greg Walker commented
In particular, the @slack/bolt dependency does a huge amount of our security legwork. Is there more we can do to verify that we have the genuine article from NPM, and not something that has been compromised?
One possibility might be cloning the Bolt repo and pulling into Charlie from that. Then we could update Bolt periodically from upstream, but since we'd be taking NPM out of the equation, we wouldn't have that to worry about.