Add security and project harness#13
Merged
Merged
Conversation
Adds local and CI tooling to keep the repo ASF-compliant and secure: - prek (.pre-commit-config.yaml) with pre-commit / commit-msg / pre-push hooks: license-header insertion, trailing-whitespace/EOF/YAML/JSON checks, workflow + dependabot schema validation, a commit-msg hook that rejects Co-authored-by trailers, and a pre-push suite (tests, license allowlist, zizmor). - Apache-2.0 license headers on all source files (js/py/sh/html), placed after shebangs and PEP-723 metadata blocks. - Dependency license allowlist check (scripts/check-licenses.mjs) gating npm dependencies to ASF Category-A licenses; wired into CI and pre-push. - Track package-lock.json files (un-ignored) for reproducible "npm ci". - Dependabot coverage for mcp/apache-projects-mcp (cooldowns, like the others). - Consolidate MCP CI into mcp-tests.yml (matrix over both servers x Node 20/22, runs tests + license check); add static-checks.yml running prek. - AGENTS.md documenting setup, the pre-push checks, and the ASF attribution policy (Generated-by, never Co-authored-by). Generated-by: Claude Code 2.1.158 (Claude Opus 4.8)
The committed ponymail-mcp lock file pinned fast-uri@3.1.0 (transitive via @modelcontextprotocol/sdk -> ajv), which dependency-review flagged as a high-severity path-traversal / host-confusion vulnerability (GHSA-q3j6-qgpj-74h6, GHSA-v39h-62p7-jpjc). Refresh the lock within the existing semver ranges: fast-uri 3.1.0 -> 3.1.2 and hono 4.12.15 -> 4.12.23 (the latter also clears a moderate hono advisory). npm audit now reports 0 vulnerabilities; tests (43/43) and the license check pass. Generated-by: Claude Code 2.1.158 (Claude Opus 4.8)
Member
Author
|
Merging.. Adding the harness detected that fast-uri@3.1.0 has been used and it had a real vulnerability. The harness now will detect this (and dependabot will keep our deps updated). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds local + CI tooling to keep the repo ASF-compliant and secure:
.pre-commit-config.yaml) —pre-commit(license headers, trailing-whitespace/EOF, YAML/JSON, GitHub-workflow + dependabot schema validation),commit-msg(rejectsCo-authored-by:trailers), andpre-push(MCP test suites + dependency license allowlist + zizmor).scripts/check-licenses.mjs) — gates npm dependencies to ASF Category-A licenses; per-project.license-allowlist-exceptions.jsonfor vetted exceptions. Wired into CI, pre-push, andnpm run licenses.package-lock.json(un-ignored) for reproduciblenpm ciinstalls and stable license checks.mcp/apache-projects-mcp(release cooldowns, matching the other ecosystems).mcp-tests.yml(matrix over both servers × Node 20/22, runs tests + license check); newstatic-checks.ymlruns prek.AGENTS.mddocumenting repo layout, one-time setup, how to run all pre-push checks, and the ASF attribution policy: use aGenerated-by:trailer naming the agent + version, neverCo-authored-by.Setup
Verified locally
prek run --all-filesandprek run --all-files --hook-stage pre-push— all green.npm ci && npm test && npm run licenses— pass for both MCP servers.GPL-3.0-onlydependency is rejected, naming the package.Co-authored-by:message, accepts aGenerated-by:one.