Fuzzing confused dependencies with Depfuzzer
In the landscape of software development, leveraging open-source libraries and packages through registries like NPM, PyPI, Go modules, and Crates for Rust has become standard practice. This approach facilitates the rapid integration of diverse functionalities into applications, driving both innovation and efficiency across the development community. While the benefits of using these resources are clear, the management of external dependencies introduces a set of considerations regarding security and maintainability.
Inspired by Alex Birsan's blogpost on Dependancy confusion, we are going to introduce the tool Depfuzzer. This tool enables the search for failing dependencies across various projects.
The tool will initially list all the dependencies of the projects and then gather information for each of them from the website https://deps.dev/. From there, it is possible to determine if a dependency exists and is still maintained.
Other checks have also been added, such as the validity of the maintainer's email, for example.