-
Notifications
You must be signed in to change notification settings - Fork 109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security issues, security advisories, security updates how? #92
Comments
Unfortunately bower doesn't have special procedures for security updates. General guidelines apply. |
thanx for answering. what do you mean by general guidelines? |
Just update frequently, and report security bugs directly to maintainers, instead of on public issue tracker. What other steps would you like Bower to do? |
i do not have the time to upgrade daily and then test everything (and possibly fix). or is this the way all work with bower? i'd like to have a way to get notified on security issues on (my installed) bower packages. think of it like the debian security-mailinglist. i install packages, and get notified on all security updates published, so i can react and see what packages and where i need to upgrade. |
I guess we can create mailing list for important announcements |
@toastbrotch Even with NPM, they don't issue security updates. At the time of writing this, you still have to depend on third-party audit modules or apps to notify of new releases. Having said that, yes that is a feature that should be integrated into core, be it on Bower or NPM |
Npm has currently has many tools to check security status of packages (e.g. npm audit or online services like github security checks or snyk checks). We'll also publish CVE for critical security fixes. I've also added SECURITY.md to bower repository which tells to report security issues directly by e-mail. I hope it's enough. |
to let bower run in a production environment how are security issues, security advisories, security updates handled, notified, ...? could not find any information to security at all....
The text was updated successfully, but these errors were encountered: