kerolox/site/content/contribute/security.md

+++ title = "Security" description = "Kerolox's security policy and it affects contributions." +++

TODO

npm

Unfortunately for everybody, JavaScript is the language of the web. Kerolox does its best to be free of dependencies on web technology, but occasionally, some JavaScript-based tooling is necessary. We encourage secure use of npm whenever possible and avoid npm whenever security cannot be guaranteed.

npm and its package repository are the main tools for creating web-compatible JavaScript. It's also infamously vulnerable^{1 2 3 4 5 6} to supply chain attacks. Because npm is configured to run arbitrary scripts while installing packages, this means that anybody installing dependencies from the npm package registry is at risk.

• TODO: describe npm workarounds
• TODO: CVE reporting policy
• TODO: dependency updating strategy
  • npm-based stuff is under extra scrutiny
• TODO automatic secret sanitation

---

1. Mini Shai-Hulud attack ↩︎

2. Tanstack supply chain attack ↩︎

3. A satire of npm security by Andrew Nesbitt ↩︎

4. Supply chain self-sabotage on colors and faker ↩︎

5. Supply chain self-sabotage on node-ipc ↩︎

6. Supply chain attack on event-stream ↩︎