Probably a stupid question from a mostly backend engineer, but I legitimately do not understand why it is important to keep your packages up to date if your backend is secure.
Current stack – API with flask secured by an @before_request checking the JWT, api calls to the database binding parameters and only using user input for GET requests inside of where clauses, nginx as a proxy server between the API and the application (HTTPS only, SSL implemented, rate limiting implemented, optionally white listing IPs in the case of a DDoS).
Why do the front end dependencies need to be updated if the backend stack is highly secure?
2
Answers
Front-end-dependencies can also (indirectly) have malicious behavior which effects your highly secure backend-application.
Example: An attacker finds a vulnerability in one of your frontend-dependencies which he is able to exploit somehow. or he inserts malware in one of your dependencies and has control over your frontend as long as this backdoor is not found (supply-chain-attack). both of these attack-vectors will not stay forever, it will be fixed by the developer of the dependency when they know about the issue. But for now the attacker can read/export the JWT of your user (or any data loaded from your backend) due to the a bad function of the dependency and as long as you have not updated to the latest version where this issue was fixed by the developer of the dependency.
This mostly assumes web frontend, but can also potentially be applicable to other front ends.
I will give you a non-security reason why you should keep your front end packages up-to-date:
Because at some point in time you are going to get a change request.
You are going to have to try to add a new dependency, that will require you to upgrade an existing dependency for compatibility, that will break 5 other things, and that will loop back on itself fractastically because something something small libraries.
If you don’t keep your front-end dependencies up-to-date after a year or two you won’t be able to modify them without declaring package.json bankruptcy and starting over because the convoluted knot won’t let you update them one at a time.