Merge branch 'master' of github.com:pustovitDmytro/npm-boilerplate

.circleci/config.yml

@@ -7,7 +7,16 @@ cache-defaults: &cache-defaults
     - -{{ checksum "package-lock.json" }}
 
 parameters:
-  env-tests:
+  skip-coveralls:
+    type: boolean
+    default: false
+  skip-security:
+    type: boolean
+    default: false
+  skip-leaks:
+    type: boolean
+    default: false
+  skip-deploy:
     type: boolean
     default: false
 
@@ -17,16 +26,6 @@ aliases:
     command: |
             echo 'export DANGER_GITHUB_API_TOKEN=$(echo Z2hwXzFldFVxODNZTUhCa0ZQUjk0WVV1blFXZTFCVmkzajRSOEpxRQo= | base64 --decode)' >> $BASH_ENV
             source $BASH_ENV
-  - &fossa-install
-    name: Install fossa
-    command: | 
-          curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install.sh | bash
-  - &fossa-analize
-    name: Send package to fossa
-    command: fossa analyze
-  - &fossa-test
-    name: Check fossa results
-    command: fossa test
   - &danger-pr
     name: Run danger
     command: npx danger ci -d .dangerfile.js
@@ -48,6 +47,9 @@ aliases:
   - &security
     name: Validate dependencies
     command: npm run test:security
+  - &security-all
+    name: Validate dev-dependencies
+    command: npm audit
   - &install
     name: Installing Dependencies
     command: npm ci
@@ -72,13 +74,23 @@ jobs:
   install:
     <<: *defaults
     steps:
-      - run: *fossa-install
       - checkout
       - run: *install
       - run: *security
       - run: *danger-pr
-      - run: *fossa-analize
       - save_cache: *cache-modules
+  test-security:
+    <<: *defaults
+    steps:
+      - checkout
+      - when:
+          condition:
+            not: << pipeline.parameters.skip-security >>
+          steps:
+            - restore_cache:
+                <<: *cache-defaults
+            - run: *security
+            - run: *security-all
   test-coverage:
     <<: *defaults
     steps:
@@ -90,15 +102,11 @@ jobs:
           path: reports
       - store_artifacts:
           path: reports
-      - run: *coveralls
-  test-fossa:
-    <<: *defaults
-    steps:
-      - run: *fossa-install
-      - checkout
-      - restore_cache:
-          <<: *cache-defaults
-      - run: *fossa-test
+      - when:
+          condition:
+            not: << pipeline.parameters.skip-coveralls >>
+          steps:
+            - run: *coveralls
   test-lint:
     <<: *defaults
     steps:
@@ -111,12 +119,16 @@ jobs:
   test-leaks:
     resource_class: small
     docker:
-      - image: zricethezav/gitleaks
+      - image: zricethezav/gitleaks:v7.6.1
     steps:
       - checkout
-      - run:
-          name: Run gitleaks
-          command: "gitleaks -v --path . --config-path .gitleaks.toml"
+      - when:
+          condition:
+            not: << pipeline.parameters.skip-leaks >>
+          steps:
+            - run:
+                name: Run gitleaks
+                command: "gitleaks -v --path . --config-path .gitleaks.toml"
   test-debt:
     <<: *defaults
     steps:
@@ -136,19 +148,26 @@ jobs:
   deploy:
     <<: *defaults
     steps:
-        - checkout
-        - restore_cache:
-            <<: *cache-defaults
-        - run:
-            name: Create Release
-            command: "[ -z ${CIRCLE_SKIP_DEPLOY+x} ] && npm run semantic-release || echo 'job skipped'"
+      - checkout
+      - when:
+          condition:
+            not: << pipeline.parameters.skip-deploy >>
+          steps:
+            - restore_cache:
+                <<: *cache-defaults
+            - run:
+                name: Create Release
+                command: if [ -z ${CIRCLE_SKIP_DEPLOY+x} ]; then npm run semantic-release;else echo 'job skipped';fi
 
 workflows:
   version: 2
   main:
     jobs:
       - install:
           context: branches
+      - test-security:
+          requires:
+            - install
       - test-package:
           requires:
             - install
@@ -164,11 +183,6 @@ workflows:
       - test-leaks:
           requires:
             - install
-      - test-fossa:
-          context: branches
-          requires:
-            - install
-            - test-package
       - deploy:
           context: npm-packages
           requires:
@@ -183,7 +197,3 @@ workflows:
           filters:
             branches:
               only: /pull\/[0-9]+/
-  env-tests:
-    when: << pipeline.parameters.env-tests >>
-    jobs:
-      - install

.cirrus.yml

@@ -0,0 +1,13 @@
+container:
+  image: docker/fossa-analyzer
+
+environment:
+    FOSSA_API_KEY: ENCRYPTED[!2c50354cec1793abe3c6b555b8121330149b461ee4e8d5ef810d467652b74352e5924ab613eea3ac002a3898c6c5a1ef!]
+
+analyze_task:
+  script: fossa analyze
+
+test_task:
+  depends_on:
+    - analyze
+  script: fossa test

.dangerfile.js

@@ -6,8 +6,9 @@ const src = danger.git.fileMatch('src/*');
 const tests = danger.git.fileMatch('tests/*');
 const system = danger.git.fileMatch('.*', '.*/**', 'LICENSE.md', 'package-lock.json', 'package.json');
 const isOwner = danger.github.pr.user.login === danger.github.thisPR.owner;
-const renovateBot = 29139614;
-const TrustedBots = [ renovateBot ];
+const renovateBot = 29_139_614;
+const boltBot = 42_819_689;
+const TrustedBots = [ renovateBot, boltBot ];
 // const isBot = danger.github.pr.user.type === 'Bot';
 const isTrustedBot = TrustedBots.includes(danger.github.pr.user.id);
 const modifiedList = danger.git.modified_files.join('\n\n- ');

.github/FUNDING.yml

@@ -0,0 +1 @@
+patreon: pustovit

.github/ISSUE_TEMPLATE/feature_request.md

@@ -13,8 +13,8 @@ Ex. I'm always frustrated when [...]
 
 **Please follow the general troubleshooting steps first:**
 - [ ] I've searched on the [issue tracker](../) before creating one.
-- [ ] I'm running latest package version.
-- [ ] I'm ready to provide help with enhancement, if needed.
+- [ ] I'm running the latest package version.
+- [ ] I'm ready to provide help with enhancement if needed.
 - [ ] Feature will break current functionality
 
 **Describe the solution you'd like**

.github/ISSUE_TEMPLATE/vulnerability.md

@@ -0,0 +1,30 @@
+---
+name: Vulnerability
+about: Report a vulnerability
+title: 'Security: brief description'
+labels: security
+assignees: pustovitDmytro
+---
+
+**Issue Description**
+
+A clear and concise description of what the bug is. Paste here a brief summary of your issue. If you are able to, please also include: the type of vulnerability, for example, the OWASP category.
+
+**Please follow the general troubleshooting steps first:**
+- [ ] I've searched on the [issue tracker](../) before creating one.
+- [ ] The issue relates to the package's dependency.
+- [ ] The issue relates to the codebase.
+- [ ] I'm running the latest package version.
+- [ ] I'm ready to provide help with a fix if needed.
+
+**Screenshots**
+
+If applicable, add screenshots or logs showing the exploitation of the vulnerability.
+
+**Environment:**
+ - Version X.X.X
+ - Node.js version: XXX
+ - Operating System: XXX
+
+**Additional context**
+Add any other context about the problem here.

.github/SECURITY.md

@@ -0,0 +1,34 @@
+# Security Policy
+
+If you’ve found a vulnerability, we would like to know so we can fix it. This notice provides details for how you can let us know about vulnerabilities
+
+## Supported Versions
+
+Only last major version is currently being supported with security updates.
+
+## Reporting a Vulnerability
+
+To report a (suspected) security vulnerability in package code use the **Vulnerability Template** in the issues section.
+
+If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.
+
+Report security bugs in third-party modules to the person or team maintaining the module. Use the **Vulnerability Template** if a dependency version update is needed to resolve the vulnerability.
+
+When you are investigating and reporting the vulnerability, you must not:
+
+* break the law
+* access unnecessary or excessive amounts of data
+* modify third-party data
+* use high-intensity invasive or destructive scanning tools to find vulnerabilities
+* try a denial of service - for example overwhelming a real service with a high volume of requests
+* disrupt production services or systems
+* tell other people about the vulnerability you have found until we have disclosed it
+* social engineer, phish or physically attack any staff or infrastructure
+* demand money to disclose a vulnerability
+
+## Bug bounty
+Unfortunately, we doesn't offer a paid bug bounty programme.
+
+## Comments on this Policy
+
+If you have suggestions on how this process could be improved please submit a pull request.

.github/workflows/npt.yml

@@ -0,0 +1,47 @@
+name: Node.js versions
+
+on: push
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 14
+      - name: Install dependencies
+        run: npm ci
+      - name: Pack tests
+        run: npx npt pack -c .package-tester.json
+      - uses: actions/upload-artifact@master
+        with:
+          name: package-tests
+          path: tmp
+  test:
+    runs-on: ${{ matrix.os }}
+    env:
+      YARGS_MIN_NODE_VERSION: ${{ matrix.node }}
+    strategy:
+      matrix:
+        os: [ macos-latest, windows-latest, ubuntu-latest ]
+        node: [ 10, 12, 14, 16 ]
+    needs: build
+    steps:
+      - uses: actions/setup-node@v2
+        with:
+          node-version: ${{ matrix.node }}
+      - name: Show configuration
+        run: |
+          npm config get user-agent
+      - uses: actions/checkout@master
+      - uses: actions/download-artifact@master
+        with:
+          name: package-tests
+          path: tmp
+      - name: Install dependencies
+        working-directory: tmp/package-tests
+        run: npm install
+      - name: Run tests
+        working-directory: tmp/package-tests
+        run: npm run test

.lalapsrc.json

@@ -0,0 +1,31 @@
+{
+    "timezone": "Europe/Kiev",
+    "branchPrefix": "lalaps",
+    "labels": [ "dependencies", "security" ],
+    "schedule": [
+        "before 7:00 am every 10 days starting on the 5th day"
+    ],
+    "verbosity": 0,
+    "commitMessageFix": "Chore: fixes npm audit vulnerabilities",
+    "commitMessagePartialFix": "Chore: fixes some npm audit vulnerabilities",
+    "rules": [ 
+        {
+            "advisory": "npm",
+            "automerge": true,
+            "commitMessageFix": "Fix: fixes npm audit vulnerabilities",
+            "commitMessagePartialFix": "Fix: fixes some npm audit vulnerabilities",
+            "production": true,
+            "branch": "npm-production"
+        },
+        {
+            "advisory": "npm",
+            "automerge": true,
+            "branch": "npm"
+        },
+        {
+            "advisory": "npm",
+            "force": true,
+            "branch": "npm-force"
+        }
+    ]
+}

.releaserc.json

@@ -30,7 +30,12 @@
         ],
         [ 
             "semantic-release-telegram", {
-                "chats": [ 238585617 ]
+                "chats": [ 238585617 ],
+                "telegra.ph"  : {
+                    "title"   : "{name} v.{version}",
+                    "message" : "<a href='{telegraph_url}'>Release Notes</a>",
+                    "content" : "{release_notes}"
+                }
             } 
         ]
     ],

.renovaterc

@@ -3,6 +3,8 @@
         "config:base"
     ],
 
+    "timezone": "Europe/Kiev",
+
     "rangeStrategy": "replace",
     "ignoreUnstable": true,
 
@@ -18,7 +20,7 @@
         "enabled": true,
         "automerge": true,
         "schedule": [
-            "before 3am on the 15th through 20th day of the month"
+            "before 7:00 am every 10 days starting on the 5th day"
         ]
     },
 
@@ -59,7 +61,7 @@
             "rangeStrategy": "bump",
             "semanticCommitType": "Chore",
             "schedule": [
-                "before 3am on the 1th through 5th day of the month"
+                "before 7:00 am every 10 days starting on the 1st day"
             ],
             "automerge": true
         },