-
Notifications
You must be signed in to change notification settings - Fork 803
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: create security.txt #878
Conversation
@daallgeier is attempting to deploy a commit to the Documenso Team Team on Vercel. A member of the Team first needs to authorize it. |
Important Auto Review SkippedAuto reviews are limited to the following labels: coderabbit. Please add one of these labels to enable auto reviews. Please check the settings in the CodeRabbit UI or the To trigger a single review, invoke the Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (invoked as PR comments)
Additionally, you can add CodeRabbit Configration File (
|
Hey There! and thank you for opening this pull request! 📝👋🏼 We require pull request titles to follow the Conventional Commits Spec and it looks like your proposed title needs to be adjusted. Details:
|
Hey there, it looks like you haven't accepted our contributor license agreement yet. In order for us to accept your pull request we ask that you please fill out the CLA: |
|
EDIT: apparently you can enable a beta for Privately Reporting Security issues: https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability Do that by adding another line with contact and either just the address or mailto:security@... |
Should probably be under the public directory in both the marketing and webapp, we can use a script to copy paste it as we've done for pdfjs. |
I guess that makes sense. I am not sure about (your) mono repo architecture(s). |
All sorted! Thanks Tangerine 🍊 |
|
||
const wellKnownPath = path.join(__dirname, '../.well-known'); | ||
|
||
console.log('Copying .well-known/ contents to apps'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this console log necessary?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It'll double log since we also echo in the pre-commit but I'd say this is also fine 😄
const wellKnownPath = path.join(__dirname, '../.well-known'); | ||
|
||
console.log('Copying .well-known/ contents to apps'); | ||
fs.cpSync(wellKnownPath, path.join(__dirname, '../apps/web/public/.well-known'), { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cpSync
is in Stage 1 and it says the following on their page Use of the feature is not recommended in production environments.
Should we go ahead and use it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Mythie unsure about this. other than that, this is good to go IMO
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a script rather than something in production it's fine.
|
|
||
const wellKnownPath = path.join(__dirname, '../.well-known'); | ||
|
||
console.log('Copying .well-known/ contents to apps'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It'll double log since we also echo in the pre-commit but I'd say this is also fine 😄
Adding a security.txt file enables security researchers to quickly and easily see where they can submit security issues and know that they are being taken serious. From the proposal website:
See also https://securitytxt.org