Tsaro & sarkar samarwa

Aiki

38.8 KB da aka ƙaranta · 7.7 KB gzipped · 6.7 KB brotli don dukan stylesheet na tushe.
Babu JavaScript — Stylus tsantsa → CSS tsantsa, babu kuɗin lokacin aiki.
Cascade-layered — soke suna cin nasara ba tare da !important ba.
An tilasta kasafin size-limit a CI a kan kowanne commit.

Aiki ikon tsaro ne. Kowane byte da ba a aika shi ba ɗaya ne da ba za a duba shi ba, a sanya hannu, kuma a tabbatar.

Taƙaitaccen sarkar samarwa

Data table table
Iko	Matsayin v2.0.0
CycloneDX SBOM	An ƙirƙira shi a kowanne sakin, an adana shi a ƙarƙashin `dist/sbom.json`
Tabbacin npm	An kunna (`--provenance --access public`)
Alamomin git da aka sanya hannu	SSH da mai kula da makulli ya sanya hannu
Dependabot da aka ƙulla	Sabuntawa na mako-mako, bita ta atomatik
Kasafin girma	`size-limit` iyakar 8 KB gzipped, CI yana gazawa a kan rashin kyau
Lint	`stylelint` + tabbatarwar a11y a kowanne turawa
CodeQL	An kunna don `javascript` da fayilolin daidaitawa
CVE-2023-44270	An gyara ta hanyar `pnpm.overrides` da ke sabunta `postcss@7`

CycloneDX SBOM

Kowanne tarball da aka buga ya haɗa da CycloneDX SBOM a dist/sbom.json. Kuna iya tabbatar da fakiti da aka sabo shigar da:

pnpm add @sebastienrousseau/skeletonic-stylus@2.0.0
jq '.metadata.component.version' \
  node_modules/@sebastienrousseau/skeletonic-stylus/dist/sbom.json
# → "2.0.0"

Ana ƙirƙira SBOM da cyclonedx-npm yayin aikin buga.

Tabbacin npm

An sanya hannu a kan kayan da aka buga ta amfani da tabbacin fakitin npm.

Kuna iya tabbatar da shi bayan shigarwa da:

npm view @sebastienrousseau/skeletonic-stylus@2.0.0 --json | \
  jq '.dist."npm-signature"'

Shaida da aka sanya hannu tana haɗa tarball zuwa ainihin gudanar da GitHub Actions da ya samar da shi.

CVEs da aka sani & gyare-gyare

Data table table
CVE	Tsanani	Matsayi
CVE-2023-44270 (matsalar sakin layi ta postcss)	Matsakaici	An gyara a v2.0.0 ta hanyar `pnpm.overrides` da ke sabunta `postcss` zuwa ≥ 8.4.31

Ana sa ido kan bayanan shawarwarin Snyk da bayanan Shawarwarin Tsaro na GitHub a kullum; gyare-gyaren tsaro ana aika su azaman sakin matakin gyara.

Bayar da rahoton rauni

Don Allah kada ku buɗe matsalar GitHub ta jama'a don rahoton tsaro. Maimakon haka, yi amfani da hanyar sirri a:

github.com/sebastienrousseau/skeletonic-stylus/security/advisories/new

Ana amsa rahotanni a cikin sa'o'i 72 kuma ana aika gyara a cikin kwanaki 14 don matsaloli masu matsakaici, sa'o'i 48 don masu muhimmanci.

Komawa gida → · Karanta tarihin canje-canje →