ASVS Level(s): [L1]
Description:
Summary
The application enforces a 30-day maximum dependency age through code (_MAX_AGE_DAYS=30 in scripts/check_when_dependencies_updated.py) with pre-commit enforcement, but this policy is not documented in application documentation as required by ASVS 15.1.1. New team members must read code to understand the policy, and the pre-commit hook incorrectly references 'ASVS 15.2.1' instead of '15.1.1'. There is no documented rationale for the 30-day value.
Details
Current enforcement mechanism:
- Script reads
exclude-newer timestamp from uv.lock
- Fails build if dependencies exceed 30 days old
- Verified on every commit via pre-commit hook
Issues identified:
- Policy exists only in code (
scripts/check_when_dependencies_updated.py, lines 30-31)
- No documented rationale for 30-day value
- Pre-commit hook description references wrong ASVS section (
.pre-commit-config.yaml, lines 148-153)
- No centralized policy document for team reference
ASVS 15.1.1 requires dependency management policies to be defined in application documentation, not just enforced in code.
Affected files:
scripts/check_when_dependencies_updated.py, lines 30-31.pre-commit-config.yaml, lines 148-153
Recommended Remediation
- Create policy documentation: Add documented reference in
SECURITY.md or docs/dependency-remediation-policy.md:
## Dependency Update Policy
### General Library Updates (ASVS 15.1.1)
- **Maximum age:** 30 days
- **Rationale:** Balance between stability and security freshness
- **Enforcement:** Automated pre-commit hook checks `exclude-newer` timestamp
- **Verification:** Every commit triggers dependency age validation
-
Fix ASVS reference: Correct .pre-commit-config.yaml line 150 from 'ASVS 15.2.1' to 'ASVS 15.1.1'
-
Add code comments: Reference policy document in scripts/check_when_dependencies_updated.py:
# Enforces 30-day maximum dependency age per dependency-remediation-policy.md
_MAX_AGE_DAYS = 30
Estimated effort: ~1 hour
Acceptance Criteria
References
- Source reports: L1:15.1.1.md
- Related findings: FINDING-198
- ASVS sections: 15.1.1
Priority
Low
ASVS Level(s): [L1]
Description:
Summary
The application enforces a 30-day maximum dependency age through code (
_MAX_AGE_DAYS=30inscripts/check_when_dependencies_updated.py) with pre-commit enforcement, but this policy is not documented in application documentation as required by ASVS 15.1.1. New team members must read code to understand the policy, and the pre-commit hook incorrectly references 'ASVS 15.2.1' instead of '15.1.1'. There is no documented rationale for the 30-day value.Details
Current enforcement mechanism:
exclude-newertimestamp fromuv.lockIssues identified:
scripts/check_when_dependencies_updated.py, lines 30-31).pre-commit-config.yaml, lines 148-153)ASVS 15.1.1 requires dependency management policies to be defined in application documentation, not just enforced in code.
Affected files:
scripts/check_when_dependencies_updated.py, lines 30-31.pre-commit-config.yaml, lines 148-153Recommended Remediation
SECURITY.mdordocs/dependency-remediation-policy.md:Fix ASVS reference: Correct
.pre-commit-config.yamlline 150 from 'ASVS 15.2.1' to 'ASVS 15.1.1'Add code comments: Reference policy document in
scripts/check_when_dependencies_updated.py:Estimated effort: ~1 hour
Acceptance Criteria
SECURITY.mdordocs/dependency-remediation-policy.md.pre-commit-config.yamlReferences
Priority
Low