Code of the Day
AdvancedSecurity Fundamentals

Secrets and dependencies

Protect credentials, and manage the risk that comes with other people's code.

FundamentalsAdvanced8 min read
Recommended first
By the end of this lesson you will be able to:
  • Handle secrets without leaking them
  • Explain the supply-chain risk of dependencies
  • Keep dependencies patched and minimal

Two everyday sources of breaches that have little to do with clever attacks: leaked and vulnerable dependencies. Both are about hygiene, and both are squarely within your control.

Handling secrets

A secret is anything that grants access — , tokens. The rules, building on the configuration lesson:

  • Never commit them. Git history is permanent; a key pushed even once is compromised. Keep secrets in environment variables or a secrets manager, and .gitignore secret files.
  • Rotate on exposure. If a secret leaks, revoke and reissue it — deleting the commit isn't enough, since clones and forks retain it.
  • Scope them tightly. Least privilege again: a key that can only read one bucket is far less dangerous than an all-powerful one.
  • Don't log them. Secrets in logs are secrets leaked (the observability lesson's warning).

The dependency supply chain

Modern projects run mostly other people's code — hundreds of transitive dependencies (the project-shape lesson's node_modules). Each is code you're trusting and a potential entry point. This is supply-chain risk: a vulnerability — or malice — in a dependency becomes a vulnerability in you.

Practical hygiene:

  • Keep dependencies updated — most exploits target known, already-patched flaws. Tools that scan for vulnerable versions (e.g. npm audit, Dependabot) flag them.
  • Pin versions with a lockfile so builds are reproducible and an update is a deliberate, reviewable event.
  • Minimise what you pull in — every dependency is attack surface and maintenance. Do you really need a package for a three-line function?
  • Vet new additions — is it maintained, widely used, reputable?

Be wary of typosquatting: malicious packages named almost like popular ones (reqeusts, lodahs). Double-check the exact name before installing, and be suspicious of a brand-new package an agent suggests.

Where to go next

Last in this module: a tour of the common vulnerabilities every developer should recognise.

Finished reading? Mark it complete to track your progress.

Authentication and authorization

Who are you, and what are you allowed to do — two different questions.

Common vulnerabilities

The recurring flaws — injection, XSS, and friends — and the habits that prevent them.

On this page

Handling secretsThe dependency supply chainWhere to go next