Douglas Wilson

I would suggest perhaps as a precursor to opening those pull requests, to attempt to engage the folks who have been committing to the repo to determine what the plans...

To add to the above, my suggestion above is generic to clean up repos in the org; if there are particular repos where we think we should act differently than...

Sorry, one last thing 🤣 : I have no issues with this being one of the topics in the upcoming TC meeting if we want. I was I guess just...

@gireeshpunathil I would recommend trying to do this engagement as an issue in each repo, if possible. This ensures that you are reaching the appropriate current audiences. I would suggest...

Your bullet points pretty much sum it up, and especially heavy emphasis on dependency version management in these projects. I have a script I use that can also tell me...

Here is also a little write up I made towards one of our dependencies for those who are interested in the attack vector of gaining access to an npm account...

> Is express using npm audit or GHA today at least to stay up to date? Yes

> I think we should change this ASAP. There is no reason for us to not have everyone enable 2fa. Anyone who doesn't should be told to enable it or...

The setting is just for organization members without exception. So turning it on will kick all members (TC, triage, etc.) without 2FA on will get kicked. I believe it will...

Are they for express itself or some of the modules around it? We can make a group email with with openjsf now like we did for the coc policy. I...