lodash icon indicating copy to clipboard operation
lodash copied to clipboard
verified publisher icon lodash

Backlog: Adopt Security Best Practices

Open UlisesGascon opened this issue 2 months ago โ€ข 0 comments

Hey team! ๐Ÿ‘‹

As discussed recently, hereโ€™s a coordinated effort to adopt security best practices ๐Ÿ”

โœ… Current PRs

  • [x] Configure ~~Dependabot~~ Renovate: ~~https://github.com/lodash/lodash/pull/6029~~ https://github.com/lodash/lodash/pull/6039
  • [ ] Add Dependency Review tool: https://github.com/lodash/lodash/pull/6031
  • [x] List security team members: https://github.com/lodash/lodash/pull/6036
  • [x] Add a Threat Model: https://github.com/lodash/lodash/pull/6026
  • [x] Include CNA Escalation in the SECURITY.md: https://github.com/lodash/lodash/pull/6025
  • [x] Add Incident Response Plan (IRP): https://github.com/lodash/lodash/pull/6028
  • [x] Proactively report the OSSF Scorecard results: https://github.com/lodash/lodash/pull/6030
  • [x] Enable CodeQL: https://github.com/lodash/lodash/pull/6032

๐Ÿ’ฌ Open Questions

  • [x] In the IRP is included a reference to the Security Triage Team. I will start to work on a proposal to define that team responsibilities and resources (slack channel, private repo...) as described in the IRP proposal (https://github.com/lodash/lodash/pull/6028).

๐Ÿ”– Important

Letโ€™s use this thread to discuss general Security Best Practices topics, and keep implementation details within each PR for better tracking and organization.

UlisesGascon avatar Oct 21 '25 22:10 UlisesGascon