search

php-parallel-lint / PHP-Parallel-Lint

This tool check syntax of PHP files faster than serial check with fancier output.
Other
287 stars 21 forks source link

Provide a security policy for this library #138

Closed TravisCarden closed 5 months ago

TravisCarden commented 1 year ago

Hi! I'm currently using PHP-Parallel-Lint on a library created specifically for inclusion in Drupal core (https://github.com/php-tuf/composer-stager), where we have a policy of evaluating the security policies of packages before adding them as dependencies. I don't see any such policy here (e.g., at https://github.com/php-parallel-lint/PHP-Parallel-Lint/security). Do you have one? If so, would you be kind enough to publish it? If not, would you consider creating one? Thank you!

jrfnl commented 1 year ago

Sounds like a good idea. Would you be willing to submit a PR to that effect ? If not, as you say this is standard practice in the Drupal world, you may have some links to good base resources ?

If nothing else, I think the GitHub native option to privately report security issues should be turned on, but I think @grogy will need to do so. I don't seem to have the right permissions for that.

Having said that and while I value security very highly, please do realize that this is a dev tool and not meant to be run in a production environment.

TravisCarden commented 1 year ago

Sounds like a good idea. Would you be willing to submit a PR to that effect?

I'd be happy to, but you'll probably want to enable "privately report security issues" first, because you'll want your security policy to link to the form I assume it creates. The "Set up a security policy" provides a suggested template. Alternatively, you can see a couple of good examples at https://github.com/symfony/symfony/security/policy and https://github.com/phpstan/phpstan/security/policy.

Having said that and while I value security very highly, please do realize that this is a dev tool and not meant to be run in a production environment.

Absolutely; I understand. This is kind of a formality for precisely that reason, but it may speed up the evaluation process. I definitely appreciate your accommodation! 🙂

jrfnl commented 5 months ago

Closing as this has now been actioned.

Security policy: https://github.com/php-parallel-lint/PHP-Parallel-Lint?tab=security-ov-file#readme

And security vulnerabilities can now be reported privately via: https://github.com/php-parallel-lint/PHP-Parallel-Lint/security/advisories/new