Security alerts

[Ryan-Palmer]

Hello! Just a simple question.

I recently introduced Fable to our company's tech stack. When going through the technical review board process, I was asked how we would know if a vulnerability was found - i.e. are there any bulletin boards, feeds or web pages that we should keep an eye on?

I know it seems like an odd question, especially given that this is a compiler rather than a runtime library, but because we are a bank the infosec requirements are quite tight!

My guess was that if you needed to get a notification out to all users it would be here on Github somewhere and possibly also X / Twitter?

[MangelMaxime]

Hello,

I don't know what you need to consider something to be a "security alerts" but we keep track of all the changes made to Fable in Changelog files.

Development of Fable happens at https://github.com/fable-compiler/Fable. The release of the compiler itself are pushed to as Github releases.

And we also keep track of the changes using one Changelog file per project / package published. You can find a list in the README.

When making release, I also tweet at https://twitter.com/FableCompiler.

[Ryan-Palmer]

Hi Maxime :)

Just realised I posted this on the website repo instead of the compiler, apologies.

I think what they were getting at is if you released a version of Fable and then found it was generating JS with vulnerabilities, you might want to push out a new version and tell everyone to update asap. In that case, where would you announce it?

(Again, I know it sounds like an odd question, I also was a bit confused!)

[Ryan-Palmer]

I'll close this issue as you have listed all the places that you guys communicate, and it would of course be through those channels.

Thanks for your help!