Skip to content

ossf/package-manager-best-practices

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

* Add initial section covering vuln disclosure

This PR adds one section (with two subsections) addressing vulnerability disclosure. The two halves are
1. Security researcher to maintainer disclosure
and
2. Maintainer to user/software consumer disclosure

The basic rational for this addition is that vulnerabilities are often not clearly visible and people that don't know about vulns can't do anything about them

Signed-off-by: laurentsimon <laurentsimon@google.com>

* Update published/npm.md

Co-authored-by: Jordan Harband <ljharb@gmail.com>
Signed-off-by: Jon <darakian@github.com>
Signed-off-by: laurentsimon <laurentsimon@google.com>

* Update published/npm.md

Co-authored-by: Jordan Harband <ljharb@gmail.com>
Signed-off-by: Jon <darakian@github.com>
Signed-off-by: laurentsimon <laurentsimon@google.com>

* Fix grammatical and spelling errors on `npm.md` (#31)

Signed-off-by: Randall <ran.dall@icloud.com>

Signed-off-by: Randall <ran.dall@icloud.com>

* Conform to main branch

Signed-off-by: Jonathan Moroney <darakian@github.com>
Signed-off-by: laurentsimon <laurentsimon@google.com>

* Link to openssf security policy repo

Signed-off-by: Jonathan Moroney <darakian@github.com>
Signed-off-by: laurentsimon <laurentsimon@google.com>

* Add initial section covering vuln disclosure

This PR adds one section (with two subsections) addressing vulnerability disclosure. The two halves are
1. Security researcher to maintainer disclosure
and
2. Maintainer to user/software consumer disclosure

The basic rational for this addition is that vulnerabilities are often not clearly visible and people that don't know about vulns can't do anything about them

Signed-off-by: laurentsimon <laurentsimon@google.com>

Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: Jon <darakian@github.com>
Signed-off-by: Randall <ran.dall@icloud.com>
Signed-off-by: Jonathan Moroney <darakian@github.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Co-authored-by: Jordan Harband <ljharb@gmail.com>
Co-authored-by: Randall <ran.dall@icloud.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
f51988a

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Package Manager Best Practices

Collection of security best practices documentation for various package managers

A project under the Best Practices for Open Source Developers WG.

Motivation / Objective

This project intends to create documents that cover the recommend way to use various package managers for optimum security.

Video introduction starts here

Scope

Documents for package managers, such as:

  • npm
  • Pip
  • RubyGems
  • etc.

Process

The procedure for proposing, reviewing, and publishing guideline documents is covered in process.md

Get Involved

About

Collection of security best practices for package managers.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published