Question for the team regarding maintenance on the OSS dependencies shipping with Heat: ffmpeg, nodejs, etc.
Are you all keeping up to date with the latest versions, especially when one needs to be running the latest versions to be safe from attacks mitigated by their security fixes?
NodeJS for example drops details on releases containing security updates here:
https://groups.google.com/forum/#!topic/nodejs-sec/jGPlKJyLIxI
Quite a few bugs in there for March 2018.
And FFmpeg does similarly with this page:
https://www.ffmpeg.org/security.htmlWhere they list CVEs fixed in each release.
Hi,
Thank you for your question.
We use Github's
https://github.com/electron as a run time engine to host our custom built web client as desktop apps on Windows, Linux and Macs.
Before we build the client we make sure to always update and upgrade to the latest electron pre-built packages available for the major version against which we have build our client.
We did the same for this latest build.
Normally security issues and updates are always backported to each still supported Electron version and these are made available as an update which we are alerted by simply running the electron builder script. For this build and for any past build that was the case as well.
Unfortunately I believe it's close to impossible to always update all software against any zero-day exploit the day, week or month it comes out.
That said, parts like the FFmpeg and the pdf viewer that come standard with Electron are however by the nature of our client never touched or invoked. What I mean is you cant remotely play any video or audio file or open a pdf doc in HEAT client.
Your question did make us look better into keeping build dependencies up to date and its something we will be looking into in order to harden this aspect even more. So thank you for that!