-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apostrophe? #106
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Apostrophe is an Open Source Node.js based CMS: https://apostrophecms.org
https:/apostrophecms/apostrophe
100% JavaScript ...
100% unpredictable ...
Requires on Specific (Ancient) Version of MongoDB: 2.6.10
if you read their
.travis.yml
file, you will see that Apostrophe requires a specificThere is no comment or "Docs" anywhere in the project indicating why this is the case.
MongoDB just released 4.0 https://www.mongodb.com
Which means that Apostrophe has "pinned" a Datatabse version that is two Major versions behind without a clear reasoning (which there undoubtedly is...!)
What this means in practice is that a user (developer using apostrophe for their CMS) will install the latest version of MongoDB and think that "everything just works"
only to discover (usually in production) that there is an obscure feature of MongoDB 2.6.10 that is required by the CMS and now you need to take your site offline in order to downgrade the version of your database to avoid the constant crashing. 😞
Security?
There is a https://apostrophecms.org/support/security page which boldly states:
How do you know...?!
Anyone who has spent more than a "bootcamp" worth of time writing software, will know that making this kind of claim is naive at best.
What part of the Apostrophe "stack" is secure?
How are they actively and automatically testing it?
Who is responsible for maintaining the security of every part of the system?
Is it "secure by default"? e.g: will the content editor page fail to load if the protocol is not HTTPS?
After reading the "Apostrophe is Secure" nonsense I completely lost interest in doing further research into this platform.
Top tip to Developers who are starting out their career:
When any software claims to be "secure" without being specific,
e.g: We run automated tests for the "OWASP Top 10, implement "security by
default
" principals and have multiple CISA/CEH/WCSD certified people on the QA team who regularly review the codebase, so that you have "peace of mind" throughout the lifecycle of your project.Run Away as Fast as You Can!!!
The text was updated successfully, but these errors were encountered: