CDK third-party dependencies management

Question

CDK third-party dependencies management

skinny85 opened this issue 3 years ago · comments

Description

The CDK depends on many third-party open-source libraries. Because of that, it needs to manage what happens when a security issue is found in one of them, and how do we defend against supply chain attacks.

Roles

Driver (drives the proposal to completion): @skinny85
Approver(s): (assigned by CDK team)

Baruch Jacob Niebloom · Answer 1 · Tue Jan 11 2022 23:17:24 GMT+0800 (China Standard Time)

What is the proposition here? Sounds interesting.

Sholto Maud · Answer 2 · Sat May 28 2022 12:18:03 GMT+0800 (China Standard Time)

I reckon this issue should raise the question about AWS funding these 3rd party tools in a business partnership model. A tool like @feross @SocketDev could really shine here, but again, a funding and license model is key.

Momo Kornher · Answer 3 · Thu Oct 19 2023 03:24:26 GMT+0800 (China Standard Time)

Marking this RFCs as stale like the associated PR. We appreciate the effort that has gone into this proposal. Marking an RFCs as stale is not a one-way door. If you have made substantial changes to the proposal, please open a new issue/RFC. You might also consider raising a PR to aws/aws-cdk directly or self-publishing to Construct Hub.