Quiz Entry - updated: 2026.06.25
What should you watch out for when using third-party libraries and frameworks?
Their vulnerabilities become yours — track them, patch them quickly, and make sure your access-control logic stays consistent across the whole codebase.
Three concrete concerns:
- Choice: be deliberate. Auditing a library is real work; "I'll just
npm installthis random thing" doesn't scale to a secure app. Prefer well-maintained, widely-reviewed dependencies. - Consistency: if you use multiple frameworks (e.g. one for API, one for admin UI), make sure access-control logic is consistent across all of them. The classic bug is "the API checks but the admin UI doesn't" because they used different middleware.
- Detection & remediation: subscribe to vulnerability feeds (the vendor's CVE list, GitHub Dependabot, Snyk, npm audit, OSV) so you find out fast when a CVE drops. Then have a process to actually patch —
Equifaxwas an outdated Apache Struts.
This is OWASP A06:2021 — Vulnerable and Outdated Components (titled Using Components with Known Vulnerabilities, A9, in the 2017 edition). It's been in the Top 10 for over a decade because patching is unglamorous and easy to skip.
Tip: Lockfiles (package-lock.json, Cargo.lock, Pipfile.lock) give you reproducible installs and a clean diff when something changes — that's where dependency-scanning tools look.