Docs/add security section

.changeset/witty-stamps-draw.md

@@ -0,0 +1,5 @@
+---
+'@fetchkit/ffetch': patch
+---
+
+docs: readme updated with security section

.github/workflows/version.yml

@@ -27,11 +27,18 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
+      - name: Lint
+        run: npm run lint
+
+      - name: Test
+        run: npm run test:ci
+
       - name: Create Version PR
         uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b # v1
         with:
           version: npm run version
           commit: 'chore(release): version packages'
           title: 'chore(release): version packages'
+          commitMode: github-api
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

README.md

@@ -49,6 +49,7 @@ ffetch uses a plugin architecture for optional features, so you only include wha
   - [Fetch vs. Axios vs. ky vs. `ffetch`](#fetch-vs-axios-vs-ky-vs-ffetch)
   - [Try ffetch in Action](#try-ffetch-in-action)
   - [Join the Community](#join-the-community)
+  - [Security](#security)
   - [Contributing](#contributing)
   - [License](#license)
 
@@ -386,6 +387,23 @@ Got questions, want to discuss features, or share examples? Join the **Fetch-Kit
 
 [![Discord](https://img.shields.io/badge/Discord-Join_Fetch--Kit-7289DA?logo=discord&logoColor=white)](https://discord.gg/sdyPBPCDUg)
 
+## Security
+
+`ffetch` is scored at **7.4/10** by the [OpenSSF Scorecard](https://securityscorecards.dev/), an automated security health check for open source projects.
+
+The score reflects:
+- ✅ Pinned GitHub Actions dependencies
+- ✅ CodeQL static analysis on every PR and push to main
+- ✅ Dependabot for dependency updates and security alerts
+- ✅ npm publish with OIDC provenance attestations
+- ✅ Security policy and private vulnerability reporting
+- ✅ Branch protection on `main`
+- ✅ SPDX SBOM attached to every release
+
+The score is capped below 10 due to being a solo-maintained project (no mandatory code review or multiple org contributors). [View the full breakdown](https://scorecard.dev/viewer/?uri=github.com/fetch-kit/ffetch).
+
+To report a security vulnerability, see [SECURITY.md](./SECURITY.md).
+
 ## Contributing
 
 - **Issues**: [GitHub Issues](https://github.com/fetch-kit/ffetch/issues)

tsconfig.json

@@ -11,7 +11,8 @@
     "declaration": true,
     "outDir": "dist",
     "rootDir": "src",
-    "types": ["vitest"]
+    "types": ["vitest"],
+    "ignoreDeprecations": "6.0"
   },
   "include": ["src/**/*"],
   "exclude": ["dist", "node_modules", "**/*.test.ts"]