Merge remote-tracking branch 'origin/main' into push-action-fuzz-tests

Author: jescalada

.github/workflows/ci.yml

@@ -83,7 +83,7 @@ jobs:
         path: build
 
     - name: Run cypress test
-      uses: cypress-io/github-action@6c143abc292aa835d827652c2ea025d098311070 # v6.10.1
+      uses: cypress-io/github-action@b8ba51a856ba5f4c15cf39007636d4ab04f23e3c # v6.10.2
       with: 
         start: npm start &
         wait-on: "http://localhost:3000"

.github/workflows/codeql.yml

@@ -60,7 +60,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3
+      uses: github/codeql-action/init@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -74,7 +74,7 @@ jobs:
     # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@181d5eefc20863364f96762470ba6f862bdef56b # v3
+      uses: github/codeql-action/autobuild@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -87,6 +87,6 @@ jobs:
     #     ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3
+      uses: github/codeql-action/analyze@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/scorecard.yml

@@ -72,6 +72,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+        uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
         with:
           sarif_file: results.sarif

.vscode/settings.json

@@ -8,5 +8,6 @@
     "source.fixAll.eslint": "explicit"
   },
   "editor.defaultFormatter": "esbenp.prettier-vscode",
-  "editor.formatOnSave": true
+  "editor.formatOnSave": true,
+  "cSpell.words": ["Deltafied"]
 }

README.md

@@ -94,7 +94,7 @@ customize for your environment, see the [project's documentation](https://git-pr
 
 ## Contributing
 
-Your contributions are at the core of making this a true open source project. Any contributions you make are **greatly appreciated**. See [`CONTRIBUTING.md`](CONTRIBUTING.md) for more information.
+Your contributions are at the core of making this a truly open source project. Any contributions you make are **greatly appreciated**. See [`CONTRIBUTING.md`](CONTRIBUTING.md) for more information.
 
 ## Security
 
@@ -110,12 +110,12 @@ This project is distributed under the Apache-2.0 license. See [`LICENSE`](LICENS
 
 ## Contact
 
-Drop a note, ask a question or just say hello in our [community Slack channel](https://app.slack.com/client/T01E7QRQH97/C06LXNW0W76) 👋
+Drop a note, ask a question or just say hello in our community Slack channel, which is accessible via the [FINOS Slack Workspace](https://finos-lf.slack.com) 👋
 
-If you can't access Slack, you can also [subscribe to our mailing list](mailto:[email protected]).
+If you can't access Slack, you can also [subscribe to our mailing list](mailto:[email protected]) 📨
+
+Otherwise, if you have a deeper query or require more support, please [raise an issue](https://github.com/finos/git-proxy/issues) 🧵
 
 🤝 Join our [fortnightly Zoom meeting](https://zoom-lfx.platform.linuxfoundation.org/meeting/95849833904?password=99413314-d03a-4b1c-b682-1ede2c399595) on Monday, 4PM BST (odd week numbers). 
 🌍 [Convert to your local time](https://www.timeanddate.com/worldclock)
 📅 [Click here](https://calendar.google.com/calendar/event?action=TEMPLATE&tmeid=MTRvbzM0NG01dWNvNGc4OGJjNWphM2ZtaTZfMjAyNTA2MDJUMTUwMDAwWiBzYW0uaG9sbWVzQGNvbnRyb2wtcGxhbmUuaW8&tmsrc=sam.holmes%40control-plane.io&scp=ALL) for the recurring Google Calendar meeting invite. Alternatively, send an e-mail to [[email protected]](https://zoom-lfx.platform.linuxfoundation.org/meeting/95849833904?password=99413314-d03a-4b1c-b682-1ede2c399595#:~:text=Need-,an,-invite%3F) to get a calendar invitation. 
-
-Otherwise, if you have a deeper query or require more support, please [raise an issue](https://github.com/finos/git-proxy/issues).

SECURITY.md

@@ -1,5 +1,13 @@
-## Reporting a vulnerability
+# Security Policy
 
-If you discover a vulnerability in git-proxy, please e-mail [[email protected]](mailto:[email protected]).
+GitProxy supports responsible disclosure of security vulnerabilities and adheres to the [FINOS Security Vulnerabilities Policy](https://community.finos.org/docs/governance/Software-Projects/cve-responsible-disclosure). If you find something you believe to be a security issue in GitProxy, we encourage and appreciate your report. Please report the issue privately to the project maintainers using one of the following methods:
 
-Thank you for improving the security of git-proxy.
+## Reporting a Vulnerability
+- **GitHub Security Reports:** In order for the vulnerability reports to reach maintainers as soon as possible, the preferred way is to use the ["Report a vulnerability"](https://github.com/finos/git-proxy/security/advisories) button under the "Security" tab of the associated GitHub project. This creates a private communication channel between the reporter and the maintainers.  
+- **Email:** If you are unable to or have strong reasons not to use the GitHub Security vulnerability reporting feature, please email the maintainers and cc: [[email protected]](mailto:[email protected]) with a description of the vulnerability.
+
+## Vulnerability Process
+
+1. **Report the vulnerability privately** using one of the methods above. Do not create a public GitHub Issue or make any public reference to the vulnerability.
+2. The project team will acknowledge receipt of your report and triage the issue. If a vulnerability is confirmed, the team will work with you to investigate and resolve it.
+3. Once a fix is available, a release will be made and the vulnerability will be publicly disclosed in accordance with the [FINOS policy](https://community.finos.org/docs/governance/Software-Projects/cve-responsible-disclosure).

index.ts

@@ -1,9 +1,11 @@
 #!/usr/bin/env tsx
 /* eslint-disable max-len */
+import path from 'path';
 import yargs from 'yargs';
 import { hideBin } from 'yargs/helpers';
 import * as fs from 'fs';
 import { configFile, setConfigFile, validate } from './src/config/file';
+import { initUserConfig } from './src/config';
 import proxy from './src/proxy';
 import service from './src/service';
 
@@ -19,7 +21,7 @@ const argv = yargs(hideBin(process.argv))
     },
     config: {
       description: 'Path to custom git-proxy configuration file.',
-      default: 'proxy.config.json',
+      default: path.join(__dirname, 'proxy.config.json'),
       required: false,
       alias: 'c',
       type: 'string',
@@ -29,6 +31,7 @@ const argv = yargs(hideBin(process.argv))
   .parseSync();
 
 setConfigFile(argv.c as string || "");
+initUserConfig();
 
 if (argv.v) {
   if (!fs.existsSync(configFile)) {