Skip to content

fix: resolve OpenSSF Scorecard security alerts#11

Merged
ramonclaudio merged 2 commits intomainfrom
fix/security-alerts
Sep 6, 2025
Merged

fix: resolve OpenSSF Scorecard security alerts#11
ramonclaudio merged 2 commits intomainfrom
fix/security-alerts

Conversation

@ramonclaudio
Copy link
Owner

@ramonclaudio ramonclaudio commented Sep 6, 2025

Summary

  • Fix Token-Permissions security alert by applying least privilege principle
  • Fix Pinned-Dependencies security alert by removing external dependency
  • Replace property-based fuzz tests with basic robustness tests using Node.js built-ins

Changes Made

  • Moved security-events: write permission from top-level to job-level (CodeQL job only)
  • Removed unpinned npm install fast-check@3.22.0 command
  • Replaced fast-check property-based tests with built-in Node.js robustness tests
  • Maintained security testing for edge cases and malicious inputs

Security Impact

  • Reduces attack surface by following least privilege for GitHub token permissions
  • Eliminates supply chain risk from external testing dependencies
  • Maintains robustness testing without external dependencies

Fixes OpenSSF Scorecard security alerts #42 and #45.

@ramonclaudio
fix: remove redundant attestation step from publish workflow
cf154bb 
The npm publish --provenance command already handles attestation internally
via Sigstore, making the separate GitHub Actions attestation step unnecessary
and causing it to fail when trying to find the consumed .tgz file.
@ramonclaudio
fix: resolve security alerts in CI workflow
49ad943 
- Move security-events write permission to job-level for CodeQL (follows least privilege)
- Remove external fast-check dependency to maintain zero external deps policy
- Replace property-based fuzz tests with basic robustness tests using Node.js built-ins
- Test edge cases including malicious inputs and malformed data
@ramonclaudio ramonclaudio merged commit 6298947 into main Sep 6, 2025
4 of 5 checks passed
@ramonclaudio ramonclaudio deleted the fix/security-alerts branch September 6, 2025 00:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ramonclaudio