node-ipc icon indicating copy to clipboard operation
node-ipc copied to clipboard
verified publisher icon achrinza

Security Checklist

Open achrinza opened this issue 3 years ago • 0 comments

This is an interim checklist of common security-related things that should be resolved:

  • [x] GitHub 2FA
  • [x] GitHub branch protection
    • [x] main
    • [x] v9
    • [x] hotfix-*
  • [x] GitHub PGP-signed Git Commit enforcement
  • [x] NPM owners' account 2FA
  • [x] NPM publishing 2FA enforcement
  • [x] NPM lockfiles
    • [x] v9
    • [x] v10
  • [ ] Automatic upstream backport
  • [x] NPM lockfile linting (Using lockfile-lint)
    • [x] v9 - PR: https://github.com/achrinza/node-ipc/pull/13
    • [x] v10 - PR: https://github.com/achrinza/node-ipc/pull/12
  • [ ] Package support information (via package.json)
    • [ ] v9
    • [ ] v10
  • [x] Code of Conduct
    • [x] v9 - PR: https://github.com/achrinza/node-ipc/pull/10
    • [x] v10 - PR: https://github.com/achrinza/node-ipc/pull/9
  • [x] Foundational CI testing
    • [x] v9
    • [x] v10
  • [ ] Installation CI testing (with npm pack and minimal test app)
    • [ ] v9
    • [ ] v10
  • [x] No transient direct or nested dependency where riaevangelist has publishing rights
    • [x] v9 (since v9.2.2) - PR: https://github.com/achrinza/node-ipc/pull/17
    • [x] v10 (since v10.1.5) - PR: https://github.com/achrinza/node-ipc/pull/11, https://github.com/achrinza/node-ipc/pull/16, https://github.com/achrinza/node-ipc/pull/27
  • [x] Instalable with --ignore-scripts (with CI testing)
    • [x] v9
    • [x] v10
  • [ ] Coverage reporting (via Coveralls)
    • [x] v9 - PR: https://github.com/achrinza/node-ipc/pull/19
    • [ ] v10
  • [ ] CI Code Security Analysis
    • [ ] OpenSSF Scorecard
    • [ ] GitHub CodeQL
      • [ ] v9
      • [ ] v10
  • [ ] OpenSSF Best Practices Badge
  • [ ] CI publishing (with changelog generation)
    • [ ] v9
    • [ ] v10
  • [ ] Dependency update bumps (via Renovate)
    • [ ] v9
    • [ ] v10
  • [ ] Security Program
    • [ ] Security e-mail with PGP key
    • [ ] SECURITY.md
    • [ ] Security Advisory Database
  • [ ] License compliance
    • [ ] REUSE compliance
      • [ ] v9
      • [ ] v10
    • [ ] License scanning (via FOSSA / pkg:npm/licensee)
  • [ ] Changelog (with Conventional Changelog)
    • [ ] v9
    • [ ] v10
  • [ ] CycloneDX (changelog + predigree)
    • [ ] v9
    • [ ] v10
  • [ ] SLSA (predigee)
    • [ ] v9
    • [ ] v10

achrinza avatar Mar 18 '22 15:03 achrinza