clomonitor
clomonitor copied to clipboard
cncf
CLOMonitor is a tool that periodically checks open source projects repositories to verify they meet certain project health best practices
Bumps [express](https://github.com/expressjs/express) from 4.18.3 to 4.19.2. Release notes Sourced from express's releases. 4.19.2 What's Changed Improved fix for open redirect allow list bypass Full Changelog: https://github.com/expressjs/express/compare/4.19.1...4.19.2 4.19.1 What's Changed Fix...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
There's a lot of overlap between CLOMonitor and Scorecard checks: https://github.com/ossf/scorecard/blob/main/docs/checks.md Ideally I'd like to port all CNCF CLOMonitor checks to Scorecard and under the covers just call Scorecard (like...
Bumps [webpack-dev-middleware](https://github.com/webpack/webpack-dev-middleware) from 5.3.3 to 5.3.4. Release notes Sourced from webpack-dev-middleware's releases. v5.3.4 5.3.4 (2024-03-20) Bug Fixes security: do not allow to read files above (#1779) (189c4ac) Changelog Sourced from...
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.5 to 1.15.6. Commits 35a517c Release version 1.15.6 of the npm package. c4f847f Drop Proxy-Authorization across hosts. 8526b4a Use GitHub for disclosure. See full diff in compare...
Hello, In our repositories we currently are including the `.clomonitor.yml` file, however, some of our repositories are restricted to naming conventions and as such we must have `.yaml` for the...
The check for the Trademark Disclaimer works quite well for static web sites, but we should identify possible ways to improve it for dynamic web sites (i.e., Docusaurus/React/Angular). The current...
Hi 👋 We've started looking into this and there are some points we'd like to comment with you 🙂 - Multiple repositories per project In the `landscape.yml` file, each project...
CNCF Projects have to xfer their trademark over to the foundation. There's no easy way to check for this but @amye were chatting that we may have a new policy...
If I recall, k8s is producing SBOM files somewhere, we should ensure that our check works for it. @jeefy can look at this
(Most) CNCF projects are expected to have a presence on cncf.groups.io. I propose a check to ensure there's at least one mailing list created that follows the pattern of `cncf-{project-name}-*`...
