Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update the security file in the repositories #48

Closed
bjohansebas opened this issue Feb 18, 2025 · 9 comments
Closed

Update the security file in the repositories #48

bjohansebas opened this issue Feb 18, 2025 · 9 comments
Assignees
@bjohansebas
Labels
documentation Improvements or additions to documentation

Comments

@bjohansebas
Copy link
Member

Currently, Express and its other two organizations have several repositories with a security file that is somewhat outdated since an email is now being used. We can update this file or remove it so that it takes the security file from .github
@bjohansebas bjohansebas added the documentation Improvements or additions to documentation label Feb 18, 2025
@UlisesGascon
Copy link
Member

Yep! Great idea do you want to work on it? I am happy to do it as well

@bjohansebas
Copy link
Member Author

Did we delete the file, or did we just update it?

@UlisesGascon
Copy link
Member

Ideally we delete it, so we inherit the content directly from the .github repo in each org

@bjohansebas
Copy link
Member Author

Great, I can do it

This was referenced Feb 18, 2025
Merged
Merged
@bjohansebas
Copy link
Member Author

I've made a script to make the process less manual. These are the repositories that have that file.

Repository that contains the SECURITY.md file:

pillarjs/send
pillarjs/path-to-regexp
pillarjs/finalhandler
pillarjs/router
pillarjs/encodeurl
jshttp/cookie
jshttp/forwarded
expressjs/body-parser
expressjs/serve-static

@ljharb
Copy link

ljharb commented Feb 18, 2025

Be sure to check both for SECURITY.md and .github/SECURITY.md, case-insensitive.

This was referenced Feb 18, 2025
Merged
Merged
Merged
Merged
Merged
@bjohansebas
Copy link
Member Author

path-to-regexp and encodeurl have a different security file, they use Tidelift to report vulnerabilities. What should we do there?

@UlisesGascon
Copy link
Member

UlisesGascon commented Feb 18, 2025
edited
Loading

path-to-regexp and encodeurl have a different security file, they use Tidelift to report vulnerabilities. What should we do there?

As far I know this is an outdated policy and we can remove it, but it will require an update in Tidelift side too (cc: @expressjs/express-tc )

This was referenced Feb 22, 2025
Merged
Merged
@UlisesGascon
Copy link
Member

So far we merged all the pending PRs:

@blakeembrey can you update Tidelift too (ref)?

At this stage we can consider the activity completed, so I close the issue now 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bjohansebas bjohansebas

Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ljharb @UlisesGascon @bjohansebas