-
-
Notifications
You must be signed in to change notification settings - Fork 131
Closed
Labels
Description
As many suggested, we should move the vulnerability database (core + ecosystem) to its own repo.
Security Advisories repository: https://github.com/nodejs/security-advisories
Repository Structure
Suggested repo structure would be
package.json
README.md
core
README.md
...json
npm
README.md
...json
Open Questions
- should we also build and push an npm package with the vuln db?
- should we change the current identifier (the nswg-eco / nswg-core) that is based on the running ids? if so, to what?
Action Items
- transform the existing format to the new structure
- announce the change via Twitter and official channels (we can contact Zibby Keaton)
- announce the change via the official Node.js website by PRing an announcement there
- an on/off switch for the vuln db in the current sec wg repo to be able to revert changes as needed (we can change the name of the directory or have a commit that removes the vuln_db directory, and later revert the commit if needed to restore immediately)
- make sure we sync data between this repo and the vuln repo during the announce phase so consumers can already start playing around with it.