opensource.guide icon indicating copy to clipboard operation
opensource.guide copied to clipboard
verified publisher icon github

Extend Security Best Practices for your Project

Open UlisesGascon opened this issue 6 months ago • 7 comments

cc: @KevinCrosby, @Jeffrey-Luszcz @DUBSOpenHub @jonchurch @blakeembrey @ljharb @rafaelgss

Note: This PR will impact #3462 and #3461

UlisesGascon avatar Jul 09 '25 14:07 UlisesGascon

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Aug 09 '25 12:08 github-actions[bot]

@UlisesGascon I see @xcorail has some suggestions above. Can you take a look and discuss/accomodate? I've pinged @Jeffrey-Luszcz and he'll be taking a look when he can. Thank you for the contribution.

jmeridth avatar Sep 25 '25 16:09 jmeridth

?

On Mon, 6 Oct 2025 at 23:08, khanimehdi117-rgb @.***> wrote:

@.**** commented on this pull request.

In _articles/security-best-practices-for-your-project.md https://github.com/github/opensource.guide/pull/3465#discussion_r2408585472 :

@@ -50,13 +50,27 @@ Picture this: a project built on the sturdy foundation of a widely-used library.

To prevent such scenarios, Software Composition Analysis (SCA) tools such as Dependabot and Renovate automatically check your dependencies for known vulnerabilities published in public databases such as the NVD or the GitHub Advisory Database, and then creates pull requests to update them to safe versions. Staying up-to-date with the latest safe dependency versions safeguards your project from potential risks.

+## Understand and manage open source license risks + +### Open source licenses come with terms and ignoring them can lead to legal and reputational risks. + +Using open source dependencies can speed up development, but each package includes a license that defines how it can be used, modified, or distributed. Some licenses are permissive, while others (like AGPL or SSPL) impose restrictions that may not be compatible with your project's goals or your users' needs. + +Imagine this: You add a powerful library to your project, unaware that it uses a restrictive license. Later, a company wants to adopt your project but raises concerns about license compliance. The result? You lose adoption, need to refactor code, and your project’s reputation takes a hit.

Yu7

— Reply to this email directly, view it on GitHub https://github.com/github/opensource.guide/pull/3465#discussion_r2408585472, or unsubscribe https://github.com/notifications/unsubscribe-auth/BYALBHWHOTJ4MXPQEVW7TVL3WLK3ZAVCNFSM6AAAAACBEJ2CGSVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZTGMBXGM4TENBUGM . You are receiving this because you commented.Message ID: @.***>

velkovacece50-collab avatar Oct 08 '25 15:10 velkovacece50-collab

I want to be part of this open source and I am not new in GitHub I lost my profile and my projects though

Maclain30

Maclain30 avatar Oct 13 '25 03:10 Maclain30

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

piraporn avatar Oct 14 '25 05:10 piraporn

Converting to draft until author re-engages.

jmeridth avatar Oct 17 '25 16:10 jmeridth

I plan to rework on this PR next week once I am back from vacations

UlisesGascon avatar Oct 17 '25 16:10 UlisesGascon

@ahpook iterate ftw. Thank you for merging.

jmeridth avatar Dec 10 '25 20:12 jmeridth