0xAverageUser
commented
12 months ago @pfhayes As a dependency of some other major open source projects please consider some easy security improvements to your project!
-
Enable Branch Protection: This is critical for preventing unauthorized changes to your code. You can enable it in your repository settings on GitHub. Here's a sample code snippet for a
.ymlfile to enforce branch protection:yaml branches: - name: master protection: required_pull_request_reviews: required_approving_review_count: 1 required_status_checks: strict: true contexts: [ 'ci/test' ] -
Implement Code Review: This is crucial for catching potential security vulnerabilities before they're merged into your codebase. You can enforce this by setting up a pull request template in your repository. Here's a sample
.github/PULL_REQUEST_TEMPLATE.mdfile:markdown ## Proposed Changes Please describe the changes in this PR. This could be a bug fix, feature, etc. ## Type of Change What type of change does your code introduce to this project? - [ ] Bugfix - [ ] New feature - [ ] Enhancement - [ ] Other ## Reviewer Notes Anything else we should know about this PR? -
Pin Dependencies: This helps to prevent potential security vulnerabilities from dependencies. You can do this by specifying exact versions in your
package.jsonfile (for JavaScript projects). Here's a sample:json "dependencies": { "express": "4.17.1", "mongoose": "5.12.3" }
Please replace the branch names, context, and dependencies with those relevant to your project.
Previously, supportRelativeURL would return an invalid response if both
fileandurlwere absolute.As a result, retrieveSourceMap would do the wrong thing when used in the browser on source maps with absolute URLs. This adds support.
I added a test but it wasn't clear to me how to update the test environment to support this. Instead, I just exposed the method for testing. I am open to feedback on how this could be improved.