Skip to content

chore: add security hardening#482

Merged
nikosxenakis merged 1 commit intomainfrom
nikosxenakis/SDK-2664-security-hardening
Apr 14, 2026
Merged

chore: add security hardening#482
nikosxenakis merged 1 commit intomainfrom
nikosxenakis/SDK-2664-security-hardening

Conversation

@nikosxenakis
Copy link
Copy Markdown
Contributor

@nikosxenakis nikosxenakis commented Apr 14, 2026
edited
Loading

Summary

  • Add SECURITY.md with DFINITY's vulnerability reporting policy and bug bounty program details
  • Add minimumReleaseAge: 10080 to pnpm-workspace.yaml to ignore dependency updates released less than 7 days ago

Context

Part of SDK-2664 security hardening across JS/TS repos.

Note: ignore-scripts=true is not added to .npmrc because this repo uses onlyBuiltDependencies in pnpm-workspace.yaml (which already restricts which packages can run install scripts). Adding ignore-scripts=true to .npmrc would override onlyBuiltDependencies and break @dfinity/pic's postinstall binary download.

@nikosxenakis nikosxenakis requested a review from a team as a code owner April 14, 2026 13:47
@nikosxenakis nikosxenakis force-pushed the nikosxenakis/SDK-2664-security-hardening branch from 3273173 to 5e4b673 Compare April 14, 2026 13:59
@nikosxenakis nikosxenakis force-pushed the nikosxenakis/SDK-2664-security-hardening branch from 5e4b673 to f54c6c9 Compare April 14, 2026 14:10
@nikosxenakis nikosxenakis merged commit b764a39 into main Apr 14, 2026
10 checks passed
@nikosxenakis nikosxenakis deleted the nikosxenakis/SDK-2664-security-hardening branch April 14, 2026 14:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lwshang lwshang lwshang approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nikosxenakis @lwshang