This is an interim checklist of common security-related things that should be resolved: - [x] GitHub 2FA - [x] GitHub branch protection - [x] main - [x] v9 - [x] hotfix-* - [x] GitHub PGP-signed Git Commit enforcement - [x] NPM owners' account 2FA - [x] NPM publishing 2FA enforcement - [x] NPM lockfiles - [x] v9 - [x] v10 - [ ] Automatic upstream backport - [x] NPM lockfile linting (Using `lockfile-lint`) - [x] v9 - PR: https://github.com/achrinza/node-ipc/pull/13 - [x] v10 - PR: https://github.com/achrinza/node-ipc/pull/12 - [ ] Package support information (via `package.json`) - [ ] v9 - [ ] v10 - [x] Code of Conduct - [x] v9 - PR: https://github.com/achrinza/node-ipc/pull/10 - [x] v10 - PR: https://github.com/achrinza/node-ipc/pull/9 - [x] Foundational CI testing - [x] v9 - [x] v10 - [ ] Installation CI testing (with `npm pack` and minimal test app) - [ ] v9 - [ ] v10 - [x] No transient direct or nested dependency where `riaevangelist` has publishing rights - [x] v9 (since `v9.2.2`) - PR: https://github.com/achrinza/node-ipc/pull/17 - [x] v10 (since `v10.1.5`) - PR: https://github.com/achrinza/node-ipc/pull/11, https://github.com/achrinza/node-ipc/pull/16, https://github.com/achrinza/node-ipc/pull/27 - [x] Instalable with `--ignore-scripts` (with CI testing) - [x] v9 - [x] v10 - [ ] Coverage reporting (via Coveralls) - [x] v9 - PR: https://github.com/achrinza/node-ipc/pull/19 - [ ] v10 - [ ] CI Code Security Analysis - [ ] OpenSSF Scorecard - [ ] GitHub CodeQL - [ ] v9 - [ ] v10 - [ ] OpenSSF Best Practices Badge - [ ] CI publishing (with changelog generation) - [ ] v9 - [ ] v10 - [ ] Dependency update bumps (via Renovate) - [ ] v9 - [ ] v10 - [ ] Security Program - [ ] Security e-mail with PGP key - [ ] SECURITY.md - [ ] Security Advisory Database - [ ] License compliance - [ ] REUSE compliance - [ ] v9 - [ ] v10 - [ ] License scanning (via FOSSA / `pkg:npm/licensee`) - [ ] Changelog (with Conventional Changelog) - [ ] v9 - [ ] v10 - [ ] CycloneDX (changelog + predigree) - [ ] v9 - [ ] v10 - [ ] SLSA (predigee) - [ ] v9 - [ ] v10
This is an interim checklist of common security-related things that should be resolved:
lockfile-lint)package.json)npm packand minimal test app)riaevangelisthas publishing rightsv9.2.2) - PR: chore: switch to@node-ipc/js-queue#17v10.1.5) - PR: chore: remove riaevangelist transitive deps #11, chore: switch to@node-ipc/js-queue#16, chore: update@achrinza/event-pubsub#27--ignore-scripts(with CI testing)pkg:npm/licensee)