I am currently considering Obsidian since it introduced Bases-- and I am quite hesitant, to be honest, since it is an Electron app and as such usually relies on countless npm packages.
As a security researcher and software engineer, I have always been very wary / skeptical of any Electron app or npm package in general. But with the more recent major supply chain attacks, things got even more serious / concerning / pressing imho.
So, it would be nice if the Obsidian team could give an insight into what they do to secure their supply chain and maybe even give some rough details about the scope of their external packages?
Thanks for your hint to the official documentation but I (hopefully) have done my homework before posting and I read through everything security related-- especially the audit reports. So I know about the outdated and possibly vulnerable packages which are only used in the dev environment and I have seen the (rather short) list of open source projects used.
Still, all that unfortunately doesnāt answer my initial question, I am afraid: How does the team handle its supply chain that is bundled in Obsidian? Also, I am skeptical that the listed projects used is even somewhat close to exhaustive since it would be surprisingly short-- which would be nice.
Sorry for being so inquisitive (and it is not meant as an accusation or anything alike). Just trying to understand the security posture of Obsidian before actually seriously using it.
By the way, the answer to the above questions would be a great addition to those security pages and I imagine corporate clients have asked the same questions in the past as well.
No worries. I should have mentioned that I have been through all the relevant material before I posted. I (usually) never post anywhere before I havenāt exhausted the documentation and/or source code and couldnāt come up with an answer myself.
Regarding my question(s) though: I fear I wonāt get an official answer which would really be a pity.
I assume when CVE for Prism is released then devs will get notified or at least their should have scripts / tools that automatically monitor compromised packages.
Thank you for providing the example and your opinion on the matter.
As I mentioned before, I am a security researcher and software engineer myself, so I can easily come up with a multitude of things that the Obsidian team does or does not do. But at the end of the of day, this is all conjecture and means nothing, unfortunately. All that matters is an official āstatementā from the Obsidian team itself on how they handle the security of their supply chain behind the scenes.
And as a side note: Updating to the latest versions is only one part of the puzzle and both part of the solution and the problem. What do they do to make sure (as much as possible) that they donāt fall victim to a supply chain attack-- either targeted or simply by bad luck / chance?
But like I said earlier, I fear those questions wonāt be answered and that in itself would also be an answer-- just not a very good one. I gotta admit though, I am somewhat disappointed and expected more transparency and communicationā¦
I have the update for prism.js lined up with our next release - but just FYI I read the vulnerability report and Obsidian is not affected because we are not using prism-autoloader, which is the attack vector for this specific issue. Either way, it will be updated to 1.30.0 in an upcoming Obsidian update.
As for supply chain attacks, we are working on a blog post to give more details. We have a pretty good process in place that makes us fairly resistant to these (strict versioning lockfile, delayed version upgrades, restricted postinstall scripts, etc). Will share more details soon.
@Licat Thank you so much for responding to this thread and taking the time to write the blog post and thus giving everyone a behind the scenes look on how the team deals with supply chain security. It is very much appreciated.
For my part, it has put my mind at ease, knowing this is on your radar and you are doing your best and are as careful as possible.
Thanks again-- and now Iāll continue evaluating Obsidian and see how far I can get without using any community plugins (for obvious reasons). On that note, it would be nice if Obsidian could maybe implement a few of those must-haves in Obsidian itself, maybe in a more minimalistic and easier to maintain version that still covers most users needs. That would be fantastic and eleviate the need for some people to even consider using pluginsā¦
Edit: my post was flagged as off-topic so I will add my explanation.
Explanation: Matthias was concerned about security in Obsidian and he decided to use Obsidian without plugins. My answer was directed to Matthias to show current limitations in Obsidian. Similarly my answer could be relevant to any user concerned about using Obsidian without additional plugins
Here are some highlights of active feature requests:
ā Allows workflows Obsidian ā Word (etc). This is really important because Word allows creating pdf or physical documents with visual formatting. It also offers easy collaboration.
ā I think this is not very useful itself because you would want to produce different documents with different templates. There should be other command like āM or ā„N which allows to create notes from a selected template (FR: Template for file creation). Currently you have to chain two separate commands, new note creation and then template insertion. Templates donāt allow to specify file names (FR: Template File Name Format) or folder (FR: Enhancement of core Templates plugin: Move to folder).
This is very useful combined with Ability to access new button in a base for a view as part of commands to create it anywhere in obsidian. But bases are designed to work with crafted search queries (that find existing notes) and a search query does not equal an instruction to create a note. So in a sense these two feature requests are not very essential because ultimately we would like to use a template language/syntax to craft notes.
I (usually) never post anywhere before I havenāt exhausted the documentation and/or source code and couldnāt come up with an answer myself.