Skip to content

Migrate vulnerability database to it own repo #359

@vdeturckheim

Description

@vdeturckheim

As many suggested, we should move the vulnerability database (core + ecosystem) to its own repo.
Security Advisories repository: https://github.com/nodejs/security-advisories

Repository Structure

Suggested repo structure would be

package.json
README.md
core
    README.md
    ...json
npm
    README.md
    ...json

Open Questions

  1. should we also build and push an npm package with the vuln db?
  2. should we change the current identifier (the nswg-eco / nswg-core) that is based on the running ids? if so, to what?

Action Items

  • transform the existing format to the new structure
  • announce the change via Twitter and official channels (we can contact Zibby Keaton)
  • announce the change via the official Node.js website by PRing an announcement there
  • an on/off switch for the vuln db in the current sec wg repo to be able to revert changes as needed (we can change the name of the directory or have a commit that removes the vuln_db directory, and later revert the commit if needed to restore immediately)
  • make sure we sync data between this repo and the vuln repo during the announce phase so consumers can already start playing around with it.

Metadata

Metadata

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions