Document status: ⚠️ DRAFT

CPAN Dependency Risk Mitigation

This guide is INFORMATIONAL and should be considered as a continuously developing document. Please ensure you check this document regularly for updates.

Corrections or improvements to this text can be filed in the security.metacpan.org issue tracker. Pull requests are also welcome.

Assessing risk in the CPAN ecosystem

Please see our CPAN Risk Assessment Guide.

Mitigating risk in the CPAN ecosystem

For component projects published on CPAN

  1. Consider availability for adoption when owner is unresponsive and distribution is made available for adoption via the ADOPTME facility on PAUSE/CPAN
  2. Consider availability for assisting when owner is looking for co-maintainer support, via the NEEDHELP facility on PAUSE/CPAN
  3. Consider the availability for hand-off when owner is looking for someone to take over the distribution, via the HANDOFF facility on PAUSE/CPAN
  4. Look for funding options for the projects in question
  5. Update the required version for dependencies when included modules implement security fixes

For CPAN ecosystems themselves, including PAUSE, MetaCPAN and any other supporting systems.

  1. Fund ongoing security improvement work, via the Perl and Raku Foundation, or through the relevant projects themselves.

See Also

  1. See https://neilb.org/adoption/ for a better list of candidates for adoption if you are open for taking responsibility beyond your direct dependency requirements.
  2. How to adopt a CPAN distribution
  3. The PAUSE Operating Model
  4. Blog post: How will NIS2 affect the supply chain security approach?

Legislative background

NIS2

  • Article 21(2)(d); (⚠️ unconfirmed)
  • Article 22; (⚠️ unconfirmed)
    • Recitals (90), (91); (⚠️ unconfirmed)
  • For internal risk assessments
    • Recital (85); (⚠️ unconfirmed)