To help developers and security teams make informed decisions, Endor Labs provides a prioritized list of recommended upgrades for each project and package. The recommendations are made after assessing the following criteria to determine the impact and complexity of an upgrade:
- Vulnerabilities associated with a dependency’s current version and those of its transitive dependencies
- Resolved vulnerabilities associated with a dependency’s later versions and those of its transitive dependencies
- Heuristic factors that influence the probability of breaking changes
- Program analysis to directly identify breaking changes
Endor Labs provides an assessment of upgrade options for each dependency, including the potential impact and risk of each option. These options include:
- The latest version of the software
- The latest vulnerable free version
- The most impactful update with moderate evidence of breaking changes
- The most impactful update with low evidence of breaking changes
Remediation risk
Endor Labs evaluates the remediation options for each recommended upgrade and assigns a remediation risk. There are three categories of remediation risk.
- High Remediation Risk: This risk level is assigned when Endor Labs has high confidence that a breaking change will occur.
- Medium Remediation Risk: This risk level is assigned when Endor Labs has identified a potential breaking change but has low to moderate confidence in its impact. It is also assigned in cases of major version conflicts that could be affected by the upgrade.
- Low Remediation Risk: This risk level is assigned when there is minimal or no evidence suggesting that a breaking change will occur. The absence of evidence does NOT guarantee that it will not break your application.
To assign remediation risk, Endor Labs looks for breaking changes associated with the upgrade and conflicts between dependency versions.
Breaking changes
Breaking changes may necessitate refactoring your code to complete an upgrade due to newly introduced incompatibilities. A breaking change may occur due to the following criteria:
- API Changes: When the public interface of a library changes, such as through renaming or removing functions, altering function signatures, or modifying expected input or output parameters.
- Behavioral Changes: When the underlying behavior of a function or method changes, even if the interface remains the same. This can lead to unexpected results or introduce issues.
- Dependency Updates: When a dependency of a dependency, that is a transitive dependency, introduces breaking changes, it can affect the higher-level dependency.
- Deprecations and Removals: When deprecated features are finally removed or altered significantly.
- Configuration Changes: When the configuration format or options for a library change.
- Changes in Supported Platforms: When a library drops support for certain platforms or versions of platforms, for example, an older version of Go.
Dependency conflicts
Dependency conflicts occur when different parts of a software project require different versions of the same dependency. These conflicts can cause various issues, such as build failures, runtime errors, or unexpected behavior. When there are major or minor version conflicts in your dependency graph, the impact can vary depending on the nature of the conflicts and the specific dependencies involved.
While conflicts do not necessarily guarantee that updating will impact your application, they increase the likelihood that changes may affect it.
View upgrade recommendations
To see Endor Labs upgrade recommendations:
- Login to Endor Labs
- Go to Projects and navigate to a project you would like to review.
- Once you’re in the project click Remediations.
- You’ll be presented with a list of dependencies that have fixed security vulnerabilities in your project and their associated packages. You can filter the attributes of these findings to identify the dependencies with the most impact on your organization.
- Click on the dependency that most interests you to review upgrade options.
- Each upgrade option will have information about the fixed findings and risks associated with that upgrade.
Review remediation risk
Once you have a specific remediation option of interest you can review the impact and evidence of remediation risk associated with each upgrade.
To review the impact and risk of an upgrade option:
- Click on the drawer icon on the right side of an upgrade recommendation.
- Under Overview, you can review a summary of the upgrade and the Fixed Findings associated with an upgrade.
- Under Potential Conflicts, you can review any major or minor version conflicts in the package as well as which direct dependencies have transitives that are in conflict.
- Under Breaking Changes, you can review any identified breaking changes, their confidence, and their call paths.