How to Remediate Known Vulnerabilities
Once you become aware of a vulnerability in a third-party component of your code, you naturally want to get rid of it, says Leo Zhang.
How do you do that? If a fix is available, Zhang explains, there are generally two approaches you can take:
- You can patch the component in-place.
- You can upgrade to a component version that does not have the vulnerability, by either:
- Pinning the vulnerable component to a fixed version.
- Doing iterated component upgrades until the vulnerable component has been removed from your dependency installation plan.
This article looks at the pros and cons of these tactics, along with related considerations.
Learn more at FOSSA.
08/28/2023