This document outlines the process for identifying, assessing, and remediating security vulnerabilities in the Stellar Tipz project dependencies.
The project runs automated vulnerability scans weekly via GitHub Actions:
- Rust Dependencies:
cargo auditscans for vulnerabilities in Soroban contract dependencies - JavaScript Dependencies:
npm audit --audit-level=highscans frontend and contract npm packages - Schedule: Every Monday at 00:00 UTC
Dependabot automatically creates pull requests for dependency updates:
- Frequency: Weekly on Mondays
- Scope: All Rust, JavaScript, and GitHub Actions dependencies
- Grouping: Related updates are grouped together (e.g., React dependencies, Stellar SDK dependencies)
- Labels: All PRs are labeled with
dependenciesand the appropriate ecosystem
- Action Required: Immediate remediation (within 24-48 hours)
- Impact: Exploitable vulnerabilities that can lead to complete system compromise
- Process:
- Create emergency fix PR
- Request immediate review from maintainers
- Deploy hotfix to production
- Communicate to users if data exposure is possible
- Action Required: Remediation within 1 week
- Impact: Vulnerabilities that could lead to significant data loss or service disruption
- Process:
- Assess exploitability in our context
- Create fix PR
- Include in next scheduled release
- Monitor for exploitation attempts
- Action Required: Remediation within 1 month
- Impact: Vulnerabilities with limited impact or requiring specific conditions
- Process:
- Evaluate risk vs. upgrade effort
- Schedule for next minor release
- Track in project backlog
- Action Required: Remediation when convenient
- Impact: Minor vulnerabilities with minimal impact
- Process:
- Address during regular dependency updates
- No immediate action required
Vulnerabilities are detected through:
- Automated weekly scans (GitHub Actions)
- Dependabot security alerts
- Manual security advisories
- Community reports
For each detected vulnerability:
- Review the advisory: Understand the vulnerability details, affected versions, and exploitability
- Check impact: Determine if the vulnerable code path is used in our application
- Assess severity: Use CVSS score and exploitability to determine priority
- Identify fix: Find the patched version or alternative solution
- Review the PR description and changelog
- Test the changes locally:
# For Rust dependencies cd contracts cargo update cargo test # For JavaScript dependencies cd frontend-scaffold npm install npm test
- Merge if tests pass and no breaking changes
- Update the dependency to a patched version
- Run tests to ensure compatibility
- Create a PR with:
- Clear description of the vulnerability
- Reference to the security advisory
- Test results
- Any code changes required
- Critical vulnerabilities: Deploy hotfix immediately
- High vulnerabilities: Include in next release
- Medium/Low vulnerabilities: Include in next minor/major release
After deployment:
- Re-run security scans to confirm fix
- Monitor application logs for exploitation attempts
- Verify no regressions in functionality
cd contracts
cargo install cargo-audit
cargo audit --deny warnings# Frontend
cd frontend-scaffold
npm audit --audit-level=high
# Contracts
cd contracts
npm audit --audit-level=high# For npm
npm audit fix
# For manual fixes
npm install package@latest
# For cargo
cargo update package- Keep dependencies updated: Regularly review and update dependencies
- Lock files: Commit
package-lock.jsonandCargo.lockto ensure reproducible builds - Pin versions: Use exact versions for critical dependencies
- Review advisories: Subscribe to security advisories for key dependencies
- Test updates: Always test dependency updates before merging
- Monitor alerts: Configure alerts for security notifications
If a security incident occurs:
-
Immediate Actions:
- Identify the scope of the vulnerability
- Determine if user data is affected
- Assess if immediate shutdown is required
-
Communication:
- Notify maintainers and stakeholders
- Prepare public communication if user data is exposed
- Coordinate with security team if applicable
-
Remediation:
- Apply patches following the process above
- Deploy fixes with urgency
- Monitor for exploitation attempts
-
Post-Incident:
- Conduct post-mortem analysis
- Update security practices based on lessons learned
- Document the incident for future reference
- GitHub Security Advisories
- NPM Security
- Rust Security Advisories
- CVSS Calculator
- Dependabot Documentation
For security concerns or to report a vulnerability:
- Create a private security advisory on GitHub
- Contact maintainers directly
- Follow the project's security policy