28.02.2025 - News

Your Company Needs an Open Source Strategy

Last week, I wrote about Nordnet’s issues with Reactive Spring and Lettuce: Avoiding Tabloid Headlines – Lessons from the Nordnet Incident.

At first glance, Lettuce’s GitHub repository (redis/lettuce) looks like a true GitHub all-star project: 5.5k stars and 130 contributors. However, a closer look at the contributor graphs tells a different story. The user mp911de, the project’s original creator, may be burned out from maintaining this popular project. Over the past year, the user tishun has taken on some responsibility, but based on commit activity, their involvement does not seem very high.

Is the entire project adrift?

Spring Boot’s redis-starter includes Lettuce by default, so many companies use it without even realizing it. Your business might already rely on it. Critical infrastructure should not depend on a library that no one actively maintains, yet that’s exactly what happens.

And this is not just about Lettuce. The npm ecosystem has shown how fragile open source dependencies can be. A single compromised package can introduce security vulnerabilities across thousands of projects in an instant. Malicious actors have injected harmful code into widely used npm packages, causing data leaks, credential theft, and supply chain attacks. If your company blindly pulls in dependencies without verifying their security and maintenance status, you’re playing with fire.

What should you do?

Audit your dependencies. Find out which open source libraries your business is built on. Don’t assume they’re actively maintained.

Support key contributors. If a library is essential to your operations, invest in the people maintaining it. Sponsor them, fund their work, or contribute directly.

Get involved. Open source isn’t just free labor—it’s a shared responsibility. Review issues, submit pull requests, and be an active part of the ecosystem you depend on.

Strengthen your supply chain security. Use Software Composition Analysis (SCA), automated dependency monitoring, and package signing to detect and prevent vulnerabilities before they reach production.

Ignoring this issue won’t make it go away. Take action now to ensure the tools you rely on remain stable, secure, and well-maintained.

You might be intrested

20.02.2025 - News

Avoiding Tabloid Headlines: Lessons from the Nordnet Incident

Spring Boot applications often use Lettuce by default with Spring Redis starters, which makes this issue fairly common. We found the same problem in a customer project using ReactiveRedisTemplate and LettuceConnectionFactory. Running an integration test with 100 concurrent requests, we managed to reproduce the bug.

02.01.2024 - News

Characterization testing – refactoring legacy code with confidence

You're staring at a bunch of unintelligible legacy code with enormous cyclomatic complexity, 5kLOC methods, no tests whatsoever, and now you need to make a change without completely breaking it. So, a massive refactoring is needed to make sense of the mess before even thinking about making the change. But how to do that safely without losing your sleep?

05.10.2023 - News

Palvelunestohyökkäyksiä Venäjältä

Palvelunestohyökkäys (DDoS) tarkoittaa verkkohyökkäystä, jossa pyritään estämään verkkosivun käyttö kohdistamalla siihen niin paljon liikennettä, että palvelin ei pysty palvelemaan asiakkaitaan. Tyypillisesti hyökkääjällä on kaapatuista tietokoneista koostuvat botnet, jonka avulla tämä liikenne saadaan generoitua.