From e1518cf7bdbbb307821a00d152828a4175ac9ae9 Mon Sep 17 00:00:00 2001 From: Gabor Koos Date: Fri, 29 May 2026 01:47:08 +0100 Subject: [PATCH 1/2] docs: readme updated with security section --- .changeset/witty-stamps-draw.md | 5 +++++ README.md | 18 ++++++++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 .changeset/witty-stamps-draw.md diff --git a/.changeset/witty-stamps-draw.md b/.changeset/witty-stamps-draw.md new file mode 100644 index 0000000..72fa985 --- /dev/null +++ b/.changeset/witty-stamps-draw.md @@ -0,0 +1,5 @@ +--- +'@fetchkit/ffetch': patch +--- + +docs: readme updated with security section diff --git a/README.md b/README.md index f0452fc..55cc420 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,7 @@ ffetch uses a plugin architecture for optional features, so you only include wha - [Fetch vs. Axios vs. ky vs. `ffetch`](#fetch-vs-axios-vs-ky-vs-ffetch) - [Try ffetch in Action](#try-ffetch-in-action) - [Join the Community](#join-the-community) + - [Security](#security) - [Contributing](#contributing) - [License](#license) @@ -386,6 +387,23 @@ Got questions, want to discuss features, or share examples? Join the **Fetch-Kit [![Discord](https://img.shields.io/badge/Discord-Join_Fetch--Kit-7289DA?logo=discord&logoColor=white)](https://discord.gg/sdyPBPCDUg) +## Security + +`ffetch` is scored at **7.4/10** by the [OpenSSF Scorecard](https://securityscorecards.dev/), an automated security health check for open source projects. + +The score reflects: +- ✅ Pinned GitHub Actions dependencies +- ✅ CodeQL static analysis on every PR and push to main +- ✅ Dependabot for dependency updates and security alerts +- ✅ npm publish with OIDC provenance attestations +- ✅ Security policy and private vulnerability reporting +- ✅ Branch protection on `main` +- ✅ SPDX SBOM attached to every release + +The score is capped below 10 due to being a solo-maintained project (no mandatory code review or multiple org contributors). [View the full breakdown](https://scorecard.dev/viewer/?uri=github.com/fetch-kit/ffetch). + +To report a security vulnerability, see [SECURITY.md](./SECURITY.md). + ## Contributing - **Issues**: [GitHub Issues](https://github.com/fetch-kit/ffetch/issues) From 8c6e8b4259238dcf0cb591a82ee67dded70db152 Mon Sep 17 00:00:00 2001 From: Gabor Koos Date: Fri, 29 May 2026 02:12:34 +0100 Subject: [PATCH 2/2] fix: tsconfig.json and version action --- .github/workflows/version.yml | 7 +++++++ tsconfig.json | 3 ++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/version.yml b/.github/workflows/version.yml index d26f031..0aaebdc 100644 --- a/.github/workflows/version.yml +++ b/.github/workflows/version.yml @@ -27,11 +27,18 @@ jobs: - name: Install dependencies run: npm ci + - name: Lint + run: npm run lint + + - name: Test + run: npm run test:ci + - name: Create Version PR uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b # v1 with: version: npm run version commit: 'chore(release): version packages' title: 'chore(release): version packages' + commitMode: github-api env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/tsconfig.json b/tsconfig.json index a57fe60..e05e639 100644 --- a/tsconfig.json +++ b/tsconfig.json @@ -11,7 +11,8 @@ "declaration": true, "outDir": "dist", "rootDir": "src", - "types": ["vitest"] + "types": ["vitest"], + "ignoreDeprecations": "6.0" }, "include": ["src/**/*"], "exclude": ["dist", "node_modules", "**/*.test.ts"]