Open Source Summit + AI_dev Japan 2024

Developers are often faced with an overwhelming number of vulnerabilities reported against their dependencies. The best way to deal with this is to keep all dependencies up to date, however, this is not possible for everyone. There is a lot of work to get all dependencies up to date for older projects, or to figure out what dependencies and versions to update in response to vulnerabilities. The open source OSV project built a feature called “guided remediation” to automatically update dependencies while minimising breakages. Upgrades with greater number of vulnerabilities fixed at once are prioritised. Mechanisms such as vulnerability dependency depth are also developed to further help prioritise the work. While developing these functionality to tackle these problems, we discovered that this is not as easy as it sounds. There are complexities in every step of the whole process - from scanning project files, to resolving dependencies in ecosystems with complicated rules, to determining possible updates, to writing back to the files. This talk explores the many challenges faced within npm and Maven, their complicated rules, and potential solutions for wider ecosystem support.