Skip to content

chore: add security hardening#58

Merged
nikosxenakis merged 1 commit intomainfrom
nikosxenakis/SDK-2664-security-hardening
Apr 14, 2026
Merged

chore: add security hardening#58
nikosxenakis merged 1 commit intomainfrom
nikosxenakis/SDK-2664-security-hardening

Conversation

@nikosxenakis
Copy link
Copy Markdown
Contributor

@nikosxenakis nikosxenakis commented Apr 14, 2026

Summary

  • Add SECURITY.md with DFINITY's vulnerability reporting policy and bug bounty program details
  • Add minimumReleaseAge: 10080 to pnpm-workspace.yaml to ignore dependency updates released less than 7 days ago
  • Add ignore-scripts=true to .npmrc to prevent lifecycle scripts from running during install (supply-chain attack mitigation)

Context

Part of SDK-2664 security hardening across JS/TS repos.

Note: onlyBuiltDependencies already listed cbor-extract and esbuild — no changes needed there.

@nikosxenakis nikosxenakis requested a review from a team as a code owner April 14, 2026 13:47
Copilot AI review requested due to automatic review settings April 14, 2026 13:47
Copilot AI reviewed Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds repository-level security hardening and reporting guidance for the JS/TS package, aligning with the broader SDK-2664 effort.

Changes:

  • Add SECURITY.md describing DFINITY’s vulnerability reporting process and bug bounty program.
  • Configure pnpm to ignore dependency updates released within the last 7 days via minimumReleaseAge.
  • Disable dependency lifecycle scripts by default via .npmrc (ignore-scripts=true) as a supply-chain mitigation.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
pnpm-workspace.yaml Adds a 7-day minimum release age for dependency updates.
SECURITY.md Introduces a security policy and reporting instructions.
.npmrc Disables install-time lifecycle scripts to reduce supply-chain risk.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread SECURITY.md
@nikosxenakis nikosxenakis force-pushed the nikosxenakis/SDK-2664-security-hardening branch from 134850d to 9fc2249 Compare April 14, 2026 13:58
@nikosxenakis nikosxenakis added this pull request to the merge queue Apr 14, 2026
Merged via the queue into main with commit 164d287 Apr 14, 2026
10 checks passed
@nikosxenakis nikosxenakis deleted the nikosxenakis/SDK-2664-security-hardening branch April 14, 2026 14:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lwshang lwshang lwshang approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nikosxenakis @lwshang