From 105b3d235fcc82439a568888e3b1d0a8b2c4286a Mon Sep 17 00:00:00 2001 From: Nikolaos Xenakis Date: Thu, 9 Apr 2026 17:55:11 +0300 Subject: [PATCH 1/3] chore: implement supply chain security hardening --- .github/workflows/self-pnpm-audit.yaml | 26 ++++++++++++++++++ .npmrc | 1 + SECURITY.md | 37 ++++++++++++++++++++++++++ pnpm-workspace.yaml | 2 ++ 4 files changed, 66 insertions(+) create mode 100644 .github/workflows/self-pnpm-audit.yaml create mode 100644 .npmrc create mode 100644 SECURITY.md diff --git a/.github/workflows/self-pnpm-audit.yaml b/.github/workflows/self-pnpm-audit.yaml new file mode 100644 index 0000000..f50ee50 --- /dev/null +++ b/.github/workflows/self-pnpm-audit.yaml @@ -0,0 +1,26 @@ +name: PNPM Audit + +on: + pull_request: + types: + - opened + - reopened + - edited + - synchronize + +concurrency: + group: pr-${{ github.workflow }}-${{ github.head_ref }} + cancel-in-progress: true + +jobs: + audit: + name: audit:required + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Setup PNPM + uses: ./actions/setup-pnpm + + - run: pnpm audit diff --git a/.npmrc b/.npmrc new file mode 100644 index 0000000..537f81f --- /dev/null +++ b/.npmrc @@ -0,0 +1 @@ +ignore-scripts=true \ No newline at end of file diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..d6d6a4b --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,37 @@ +# Security Policy + +DFINITY takes the security of our software products seriously, which includes all source code repositories under the [DFINITY](https://github.com/dfinity) GitHub organization. + +> [!IMPORTANT] +> [DFINITY Foundation](https://dfinity.org) has a [Internet Computer (ICP) Bug Bounty program](https://dfinity.org/bug-bounty/) that rewards researchers for finding and reporting vulnerabilities in the Internet Computer. Please check the scope and eligibility criteria outlined in the policy to see if the vulnerability you found qualifies for a reward. + +## How to report a vulnerability + +We appreciate your help in keeping our projects secure. +If you believe you have found a security vulnerability in any of our repositories, please report it responsibly to us as described below: + +1. **Do not disclose the vulnerability publicly.** Public disclosure could be exploited by attackers before it can be fixed. +2. **Send an email to securitybugs@dfinity.org.** Please include the following information in your email: + * A description of the vulnerability + * Steps to reproduce the vulnerability + * Risk rating of the vulnerability + * Any other relevant information + +We will respond to your report within 72 hours and work with you to fix the vulnerability as soon as possible. + +### Security Updates + +We are committed to fixing security vulnerabilities in a timely manner. Once a security vulnerability is reported, we will: + +* Investigate the report and confirm the vulnerability. +* Develop a fix for the vulnerability. +* Release a new version of the project that includes the fix. +* Announce the security fix in the project's release notes. + +## Preferred Language + +We prefer all communications to be in English. + +## Disclaimer + +This security policy is subject to change at any time. \ No newline at end of file diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index e8c72c7..6aaa768 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -4,3 +4,5 @@ packages: - 'actions/extract-version' - 'actions/submit-docs' - 'lib/action-utils' + +minimumReleaseAge: 10080 # ignore dependency updates released less than 7 days ago From d1f94a350ab591b6922e8efaf42bae5516455bf9 Mon Sep 17 00:00:00 2001 From: Nikolaos Xenakis Date: Mon, 13 Apr 2026 12:14:07 +0300 Subject: [PATCH 2/3] chore: harden supply chain security --- SECURITY.md | 21 ++++++++++----------- package.json | 5 +++++ pnpm-lock.yaml | 11 +++++++---- pnpm-workspace.yaml | 3 +++ 4 files changed, 25 insertions(+), 15 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index d6d6a4b..069b2b0 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,8 +2,7 @@ DFINITY takes the security of our software products seriously, which includes all source code repositories under the [DFINITY](https://github.com/dfinity) GitHub organization. -> [!IMPORTANT] -> [DFINITY Foundation](https://dfinity.org) has a [Internet Computer (ICP) Bug Bounty program](https://dfinity.org/bug-bounty/) that rewards researchers for finding and reporting vulnerabilities in the Internet Computer. Please check the scope and eligibility criteria outlined in the policy to see if the vulnerability you found qualifies for a reward. +> [!IMPORTANT] > [DFINITY Foundation](https://dfinity.org) has a [Internet Computer (ICP) Bug Bounty program](https://dfinity.org/bug-bounty/) that rewards researchers for finding and reporting vulnerabilities in the Internet Computer. Please check the scope and eligibility criteria outlined in the policy to see if the vulnerability you found qualifies for a reward. ## How to report a vulnerability @@ -12,10 +11,10 @@ If you believe you have found a security vulnerability in any of our repositorie 1. **Do not disclose the vulnerability publicly.** Public disclosure could be exploited by attackers before it can be fixed. 2. **Send an email to securitybugs@dfinity.org.** Please include the following information in your email: - * A description of the vulnerability - * Steps to reproduce the vulnerability - * Risk rating of the vulnerability - * Any other relevant information + - A description of the vulnerability + - Steps to reproduce the vulnerability + - Risk rating of the vulnerability + - Any other relevant information We will respond to your report within 72 hours and work with you to fix the vulnerability as soon as possible. @@ -23,10 +22,10 @@ We will respond to your report within 72 hours and work with you to fix the vuln We are committed to fixing security vulnerabilities in a timely manner. Once a security vulnerability is reported, we will: -* Investigate the report and confirm the vulnerability. -* Develop a fix for the vulnerability. -* Release a new version of the project that includes the fix. -* Announce the security fix in the project's release notes. +- Investigate the report and confirm the vulnerability. +- Develop a fix for the vulnerability. +- Release a new version of the project that includes the fix. +- Announce the security fix in the project's release notes. ## Preferred Language @@ -34,4 +33,4 @@ We prefer all communications to be in English. ## Disclaimer -This security policy is subject to change at any time. \ No newline at end of file +This security policy is subject to change at any time. diff --git a/package.json b/package.json index 3560730..b602f59 100644 --- a/package.json +++ b/package.json @@ -23,5 +23,10 @@ "prettier": "^3.2.5", "rimraf": "^6.0.0", "typescript": "^5.9.3" + }, + "pnpm": { + "overrides": { + "brace-expansion": "^5.0.5" + } } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index bb4d090..9f0a978 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -4,6 +4,9 @@ settings: autoInstallPeers: true excludeLinksFromLockfile: false +overrides: + brace-expansion: ^5.0.5 + importers: .: @@ -298,8 +301,8 @@ packages: before-after-hook@4.0.0: resolution: {integrity: sha512-q6tR3RPqIB1pMiTRMFcZwuG5T8vwp+vUvEG0vuI6B+Rikh5BfPp2fQ82c925FOs+b0lcFQ8CFrL+KbilfZFhOQ==} - brace-expansion@5.0.4: - resolution: {integrity: sha512-h+DEnpVvxmfVefa4jFbCf5HdH5YMDXRsmKflpf1pILZWRFlTbJpxeU55nJl4Smt5HQaGzg1o6RHFPJaOqnmBDg==} + brace-expansion@5.0.5: + resolution: {integrity: sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==} engines: {node: 18 || 20 || >=22} esbuild@0.25.12: @@ -538,7 +541,7 @@ snapshots: before-after-hook@4.0.0: {} - brace-expansion@5.0.4: + brace-expansion@5.0.5: dependencies: balanced-match: 4.0.4 @@ -585,7 +588,7 @@ snapshots: minimatch@10.2.4: dependencies: - brace-expansion: 5.0.4 + brace-expansion: 5.0.5 minipass@7.1.3: {} diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 6aaa768..1135a37 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -5,4 +5,7 @@ packages: - 'actions/submit-docs' - 'lib/action-utils' +onlyBuiltDependencies: + - esbuild + minimumReleaseAge: 10080 # ignore dependency updates released less than 7 days ago From 89ce5bf8eaad42b572723a30342981d4d8c80ecc Mon Sep 17 00:00:00 2001 From: Nikolaos Xenakis Date: Mon, 13 Apr 2026 12:37:08 +0300 Subject: [PATCH 3/3] fix: typo --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 069b2b0..f404856 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,7 +2,7 @@ DFINITY takes the security of our software products seriously, which includes all source code repositories under the [DFINITY](https://github.com/dfinity) GitHub organization. -> [!IMPORTANT] > [DFINITY Foundation](https://dfinity.org) has a [Internet Computer (ICP) Bug Bounty program](https://dfinity.org/bug-bounty/) that rewards researchers for finding and reporting vulnerabilities in the Internet Computer. Please check the scope and eligibility criteria outlined in the policy to see if the vulnerability you found qualifies for a reward. +> [!IMPORTANT] > [DFINITY Foundation](https://dfinity.org) has an [Internet Computer (ICP) Bug Bounty program](https://dfinity.org/bug-bounty/) that rewards researchers for finding and reporting vulnerabilities in the Internet Computer. Please check the scope and eligibility criteria outlined in the policy to see if the vulnerability you found qualifies for a reward. ## How to report a vulnerability