Closed TravisCarden closed 1 year ago
veewee
commented
1 year ago Hello Travis,
Thanks for reporting. I'll have to look into setting up that specific policy for GrumPHP.
Do you have any example policies to share? Because, I couldn't find a security policy for composer-stager either.
TravisCarden
commented
1 year ago Sure, @veewee. We're working on defining our security policy right now. Symfony has one at https://github.com/symfony/symfony/security/policy which we're looking at as an example.
veewee
commented
1 year ago @TravisCarden I've added a small policy: https://github.com/phpro/grumphp/blob/master/SECURITY.md
I'm lucky not to have too much experience with security vulnerabilities. (knocks on wood) So if you find something is missing - feel free to propose alternatives.
TravisCarden
commented
1 year ago Thanks, @veewee!
Hi! I'm currently using GrumPHP on a library created specifically for inclusion in Drupal core (https://github.com/php-tuf/composer-stager), where we have a policy of evaluating the security policies of packages before adding them as dependencies. I don't see any such policy here (e.g., at https://github.com/phpro/grumphp/security). Do you have one? If so, would you be kind enough to publish it? If not, would you consider creating one? Thank you!