Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/CODEOWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# Default owners for everything in the repository.
* @patchstack/devsecops-ops
1 change: 1 addition & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ jobs:
- 18.x
- 20.x
- 22.x
- 24.x

steps:
- name: Checkout
Expand Down
49 changes: 49 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
# Contributing to @patchstack/connect

## Prerequisites

- Node.js ≥ 18
- npm ≥ 9

## Setup

```bash
git clone https://github.com/patchstack/connect.git
cd connect
npm install
```

## Development workflow

```bash
npm run typecheck # type-check without emitting
npm test # run the full test suite
npm run build # compile to dist/
```

Keep `npm run typecheck` passing at all times. The CI workflow enforces it on every PR.

## Making changes

1. Fork the repo and create a branch from `main`.
2. Write or update tests for any behaviour change.
3. Make sure `npm run typecheck && npm test && npm run build` all pass locally.
4. Open a pull request against `main`. One approving review is required before merge.

## Commit style

Use short imperative subject lines (`Add yarn.lock parser`, `Fix timeout default`). No ticket prefix required.

## Reporting bugs

Open an issue at <https://github.com/patchstack/connect/issues> with:
- Node and npm versions (`node -v && npm -v`)
- The lockfile type in use (npm, pnpm, yarn, bun)
- Steps to reproduce
- Expected vs actual behaviour

For security vulnerabilities see [SECURITY.md](SECURITY.md).

## License

By contributing you agree that your contributions will be licensed under the [MIT License](LICENSE).
30 changes: 30 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Security Policy

## Supported versions

Only the latest published version of `@patchstack/connect` on npm receives security fixes.

## Reporting a vulnerability

**Do not open a public GitHub issue for security vulnerabilities.**

Report them privately via GitHub's built-in security advisory feature:
<https://github.com/patchstack/connect/security/advisories/new>

Alternatively, email **security@patchstack.com** with:
- A description of the vulnerability and its potential impact
- Steps to reproduce or a proof-of-concept
- Any suggested mitigations you have in mind

We aim to acknowledge reports within **2 business days** and to provide a resolution timeline within **7 business days**.

## Scope

This package runs as a dev-time CLI and library inside a user's own project. It sends only package names and versions to the Patchstack API — no source code, environment variables, or file paths. Findings of interest include:

- Credential or token leakage from the scan payload
- Supply-chain issues (typosquatting, dependency confusion)
- Remote code execution triggered by a crafted lockfile
- Insecure defaults that expose the site UUID

Out of scope: vulnerabilities in third-party lockfile formats themselves, or issues that require physical access to the developer's machine.
Loading