Communicating security on the Foundation website

[lirantal]

Hey folks,
Liran from Snyk here 👋

We've been spending some time recently working with the community to increase the security awareness for developers. A good couple of examples of that are embedding a small widget on jsDelivr (https://www.jsdelivr.com/package/npm/lodash?version=4.17.0) and CDNjs (https://cdnjs.dev/libraries/lodash.js/4.10.0) like this:

If you wanted to follow the same on the Foundation landing page (https://get.foundation), as we're tracking some past security issues over at https://snyk.io/vuln/npm:foundation-sites, both me and @bmvermeer would be happy to work with you on it.

[DanielRuf]

I'm not sure if it makes sense to display 0 vulnerabilities.
Also we are busy with other things and plan to create a new website for v7.

Users should use the latest available version as we do not support older releases anymore and the docs and website are always for the latest version.

In general I am a bit confused about https://snyk.io/test/npm/lodash/4.17.0?severity=high&severity=medium&severity=low&policy=open&policy=patched which says 5 open but 0 patched but all state that there were patch releases after this which obviously resolve them. What does "patched" mean in this case and why is it 0?

[lirantal]

patched in that context refers to Snyk patches and it means there aren't any Snyk related patches for this version/vulnerability.

[DanielRuf]

Ah ok, thanks for the clarification.

[lirantal]

So, I have some ideas on probably a better style of presenting the security state if so to speak but in a different way than saying how many vulns. @bmvermeer will share some of what he as been working on lately and let's see if that's a more interesting way to do it.

[bmvermeer]

Hi @DanielRuf,
I understand that the 0 vulns might seems odd. However, it shows that the package you provide doesn't have any vulnerabilities at this point in time. So the choice for foundation is also a safe choice.
Maybe a security badge like below could be a better fit.

Some more information on these badges and how to create one for a specific package can be found here.

Please let me know what your thought are around this.