Keep Dependencies Up to Date

Severity: High

Description

Using outdated libraries can introduce security vulnerabilities, compatibility issues, and reduced performance, as older dependencies may lack recent bug fixes and security patches. In blockchain development, using outdated dependencies is particularly risky because the decentralized nature of the ecosystem amplifies the consequences of vulnerabilities or compatibility issues. Unlike traditional applications, blockchain systems operate in trustless environments where security, reliability, and performance are paramount.

What should be avoided

Example 1

The following code relies on an outdated library that may contain deprecated or insecure functions:

#![allow(unused)]
fn main() {
use outdated_library::deprecated_fn;
}

Example 2

The following configuration uses an outdated branch of the Polkadot-SDK repository, which may include deprecated features, unresolved issues, or security vulnerabilities:

# In Cargo.toml
sp-runtime = { git = "https://github.com/paritytech/substrate.git", branch = "polkadot-v1.0.0" }

Best practice

Regularly update dependencies to their latest stable versions, ensuring the use of secure and well-maintained functions:

Example 1

Replace deprecated functions by migrating to the latest version of the library:

#![allow(unused)]
fn main() {
use latest_library::safe_fn;
}

Example 2

Ensure you are using the most recent stable branch of the Polkadot SDK repository:

# In Cargo.toml
sp-runtime = { git = "https://github.com/paritytech/polkadot-sdk.git", branch = "polkadot-stable2409" }

By updating to the latest versions, you benefit from security improvements, performance enhancements, and better compatibility, ensuring a more robust and secure application.

Polkadot SDK Best Practices