Skip to main content

Overview

This section outlines the best practices for using third-party scripts in our codebase. These guidelines are designed to ensure that our projects maintain high levels of security, performance, and maintainability. Third-party scripts can be useful but must be handled with caution to prevent security risks and reliability issues.

Preferred Methods of Inclusion

Always prioritize importing third-party libraries using tools like npm instead of directly linking to a CDN. This ensures better version control, security, and integration within the project’s build process.

Version Control

Specify Version Numbers

Always use explicit version numbers when installing dependencies. Do not use @latest, which can introduce breaking changes or malicious code without warning.

Version Locking

Ensure the package-lock.json files are committed to the repository to lock versions and maintain consistency across environments.

Security Best Practices

Regular Audits

Ensure dependabot is enabled on the repository to receive automated security updates and alerts for outdated dependencies. Regularly audit dependencies for vulnerabilities and update them as needed. If a third-party script is no longer maintained or poses a security risk, consider removing it from the project.

Dependency Assessment

Before adding a new dependency, evaluate:
  1. Is the source reputable and well-maintained?
  2. Does the project have a healthy update cycle and active contributors?
  3. Are there any reported vulnerabilities or major issues?

Dependency Management

Use Dependabot or similar tools to automate the process of checking for outdated dependencies and applying security patches. Configure it to only update dependencies (not devDependencies) unless development tools are also critical.