Security Checklist #4
Description
This is an interim checklist of common security-related things that should be resolved:
- GitHub 2FA
- GitHub branch protection
- main
- v9
- hotfix-*
- GitHub PGP-signed Git Commit enforcement
- NPM owners' account 2FA
- NPM publishing 2FA enforcement
- NPM lockfiles
- v9
- v10
- Automatic upstream backport
- NPM lockfile linting (Using
lockfile-lint)- v9 - PR: ci: add lockfile lint #13
- v10 - PR: ci: add lockfile lint #12
- Package support information (via
package.json)- v9
- v10
- Code of Conduct
- v9 - PR: chore: add code of conduct (v9) #10
- v10 - PR: chore: add code of conduct #9
- Foundational CI testing
- v9
- v10
- Installation CI testing (with
npm packand minimal test app)- v9
- v10
- No transient direct or nested dependency where
riaevangelisthas publishing rights- v9 (since
v9.2.2) - PR: chore: switch to@node-ipc/js-queue#17 - v10 (since
v10.1.5) - PR: chore: remove riaevangelist transitive deps #11, chore: switch to@node-ipc/js-queue#16, chore: update@achrinza/event-pubsub#27
- v9 (since
- Instalable with
--ignore-scripts(with CI testing)- v9
- v10
- Coverage reporting (via Coveralls)
- v9 - PR: ci: publish coverage reports #19
- v10
- CI Code Security Analysis
- OpenSSF Scorecard
- GitHub CodeQL
- v9
- v10
- OpenSSF Best Practices Badge
- CI publishing (with changelog generation)
- v9
- v10
- Dependency update bumps (via Renovate)
- v9
- v10
- Security Program
- Security e-mail with PGP key
- SECURITY.md
- Security Advisory Database
- License compliance
- REUSE compliance
- v9
- v10
- License scanning (via FOSSA /
pkg:npm/licensee)
- REUSE compliance
- Changelog (with Conventional Changelog)
- v9
- v10
- CycloneDX (changelog + predigree)
- v9
- v10
- SLSA (predigee)
- v9
- v10