Avoid New Dependencies
- Use existing (possibly indirect) dependencies.
- Minimize attack surface.
Evaluate Intended Version
- Verify software version (not personal/attacker-controlled fork).
- Check project name and website link.
- Verify fork relation on GitHub/GitLab.
- Check foundation affiliation, creation time, and popularity.
Check Maintenance
- Look for significant recent activity (commits within the last year).
- Verify last release (within the last year).
- Ensure multiple maintainers from different organizations.
- Look for recent releases/announcements.
- Check for instability in version string (e.g., "0", "alpha", "beta").
Security Practices
- Verify up-to-date package dependencies.
- Look for security documentation (assurance case).
- Assess CI pipeline automated tests and test coverage.
- Confirm timely bug fixes (especially security bugs) and LTS version.
- Check use of code hosting security features (e.g., branch protection).
- Review security audits and issue resolutions.
- Ensure current version is free of significant vulnerabilities.
Ease of Secure Use
- Secure default configuration and examples.
- Secure interface/API design.
- Available guidance on secure usage.
Vulnerability Reporting
- Instructions for reporting vulnerabilities (e.g., Guide to Coordinated Vulnerability Disclosure).
Significant Use
- Assess user base size and reputation.
- Beware of typosquatting (check similar names).
License Considerations
- Ensure clear, widely-used OSI license consistent with intended use.
Test Addition Impact
- Add dependency in isolated environment:
- Check for malicious behavior.
- Identify unexpected/unnecessary indirect dependencies.
Code Evaluation
- Review source code for secure development practices.
- Identify insecure/incomplete code (e.g., TODO statements).
- Analyze top problems reported by static analysis tools.
- Look for malicious code indicators (e.g., data exfiltration, obfuscated values).
- Run software in a sandbox to detect malicious code.
- Execute all defined test cases.