_Odaeus_

I switched from Lastpass and am a happy Bitwarden user. A few days ago I wanted to try out the Linux CLI client by installing it with npm. It brought to my attention that the Bitwarden clients are all built upon the security-hostile NPM package ecosystem. The installation command itself outputs that there are 4 known important security vulnerabilities in the dependencies!

Most importantly, how do you protect against a malicious actor who could subvert one of the large number of dependencies to add code that leaks Bitwarden passwords?

I can't find mention of a policy for this in any of your audit documents. And even though package versions are pinned. There are commits that just seem to upgrade a package like "open" to the latest.

Thanks!

Thanks. Sadly it doesn't, it's concerning this is entirely unaddressed.

I've read the audits and they seem to be about business processes with no mention I've been able to find about this issue or development in general.

A bug bounty programme is only useful after a breach has been introduced, by then it would be too late no?

That would be amazing thanks 🙏🏻. Hopefully I've just missed the relevant document.