amorey
commented
2 years ago That's great news! I'm excited to hear you're considering using LoadJS for Drupal.
Currently, LoadJS doesn't have a formal security policy but this is something I'd be happy to work on. If you can recommend a particular security policy that I can use as a starting point that would be very helpful.
Here are some answers to your questions:
For example, does more than one version receive security fixes, or only the current version?
Currently, security fixes are applied to the master and they go out as tagged releases.
What would your policy on disclosure be? For example, would you ask users to report security issues privately, and publish the existence of the vulnerability only once a fix is available, for coordinated disclosure?
Yes, I would ask users to report security issues privately and then publish the existence of the vulnerability once a fix is available.
Given the date of the last release I'm going to go ahead and say it's "as needed". Is that a accurate assumption?
Yes, releases are on "as needed" basis as users report bugs or make feature requests.
loadjs uses semver, so I assume the minor version promises not to break BC. Are there any guarantees that a given version will be supported for some period of time (an LTS version, for example)?
Yes, minor versions don't break BC. Currently, there's no LTS version but the code is small enough and the feature set limited enough that it wouldn't be difficult to make long-term support guarantees.
Last question from what i could see back when we looked at this (couple years ago) this was the most stable library for the job (we still need IE11 support for now), since the code has been reused for https://github.com/muicss/johnnydepp I'm guessing this still holds true today?
Yes, LoadJS still supports IE11 (with a CSS loading caveat noted in browser-support). There's a test suite that I run on supported browsers before each release goes out to make sure there aren't any breaking changes.
Let me know what else I can do to help you get LoadJS into the next Drupal release!
theodoreb
xjm
The Drupal project is considering adding this library as one of our dependencies, so we're performing a standard stability review. We're looking into adopting this as a dependency of Drupal core (starting from 9.3.0 scheduled to go out in december) the corresponding Drupal core issue are #3228351 and #1988968.
I understand that the library is quite small while being feature complete and stable (there hasn't been a release for a couple of years and still works very well). This is us doing due diligence more than anything, what we are looking are a few answers. We do not expect any work done for us, if anything we could help out if necessary. So thank you in advance for the time spent reading the rest of this issue :)
Since there isn't a policy at https://github.com/muicss/loadjs/security I'm curious if you have any official policies documented somewhere regarding:
Security releases
For example, does more than one version receive security fixes, or only the current version? What would your policy on disclosure be? For example, would you ask users to report security issues privately, and publish the existence of the vulnerability only once a fix is available, for coordinated disclosure?
Release windows/cadence
Given the date of the last release I'm going to go ahead and say it's "as needed". Is that a accurate assumption?
Backwards compatibility guarantees
loadjs uses semver, so I assume the minor version promises not to break BC. Are there any guarantees that a given version will be supported for some period of time (an LTS version, for example)?
Last question from what i could see back when we looked at this (couple years ago) this was the most stable library for the job (we still need IE11 support for now), since the code has been reused for https://github.com/muicss/johnnydepp I'm guessing this still holds true today?
Thank for reading :)