From c5e4b7d5f56656629691562ef589b7d95e7084fe Mon Sep 17 00:00:00 2001 From: iv1310 Date: Wed, 1 Jul 2026 11:24:41 +0700 Subject: [PATCH 1/2] chore: add the neccessary files --- .github/CODEOWNERS | 2 ++ CONTRIBUTING.md | 49 ++++++++++++++++++++++++++++++++++++++++++++++ SECURITY.md | 30 ++++++++++++++++++++++++++++ 3 files changed, 81 insertions(+) create mode 100644 .github/CODEOWNERS create mode 100644 CONTRIBUTING.md create mode 100644 SECURITY.md diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..292fe55 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,2 @@ +# Default owners for everything in the repository. +* @patchstack/devsecops-ops diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..eeceef0 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,49 @@ +# Contributing to @patchstack/connect + +## Prerequisites + +- Node.js ≥ 18 +- npm ≥ 9 + +## Setup + +```bash +git clone https://github.com/patchstack/connect.git +cd connect +npm install +``` + +## Development workflow + +```bash +npm run typecheck # type-check without emitting +npm test # run the full test suite +npm run build # compile to dist/ +``` + +Keep `npm run typecheck` passing at all times. The CI workflow enforces it on every PR. + +## Making changes + +1. Fork the repo and create a branch from `main`. +2. Write or update tests for any behaviour change. +3. Make sure `npm run typecheck && npm test && npm run build` all pass locally. +4. Open a pull request against `main`. One approving review is required before merge. + +## Commit style + +Use short imperative subject lines (`Add yarn.lock parser`, `Fix timeout default`). No ticket prefix required. + +## Reporting bugs + +Open an issue at with: +- Node and npm versions (`node -v && npm -v`) +- The lockfile type in use (npm, pnpm, yarn, bun) +- Steps to reproduce +- Expected vs actual behaviour + +For security vulnerabilities see [SECURITY.md](SECURITY.md). + +## License + +By contributing you agree that your contributions will be licensed under the [MIT License](LICENSE). diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..b8763f6 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,30 @@ +# Security Policy + +## Supported versions + +Only the latest published version of `@patchstack/connect` on npm receives security fixes. + +## Reporting a vulnerability + +**Do not open a public GitHub issue for security vulnerabilities.** + +Report them privately via GitHub's built-in security advisory feature: + + +Alternatively, email **security@patchstack.com** with: +- A description of the vulnerability and its potential impact +- Steps to reproduce or a proof-of-concept +- Any suggested mitigations you have in mind + +We aim to acknowledge reports within **2 business days** and to provide a resolution timeline within **7 business days**. + +## Scope + +This package runs as a dev-time CLI and library inside a user's own project. It sends only package names and versions to the Patchstack API — no source code, environment variables, or file paths. Findings of interest include: + +- Credential or token leakage from the scan payload +- Supply-chain issues (typosquatting, dependency confusion) +- Remote code execution triggered by a crafted lockfile +- Insecure defaults that expose the site UUID + +Out of scope: vulnerabilities in third-party lockfile formats themselves, or issues that require physical access to the developer's machine. From 53e4ee7c6fd2fa1e239fdb6962e6e29c731d47ae Mon Sep 17 00:00:00 2001 From: iv1310 Date: Wed, 1 Jul 2026 11:32:48 +0700 Subject: [PATCH 2/2] chore: add the node24 for CI check --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 53cf425..3cdccf6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,6 +26,7 @@ jobs: - 18.x - 20.x - 22.x + - 24.x steps: - name: Checkout