From d7a1b1d00bd1ea82aaeb820c0d22a35348faf723 Mon Sep 17 00:00:00 2001 From: Tom King Date: Fri, 23 Jan 2026 19:01:12 -0800 Subject: [PATCH 1/3] chore: tighten security even more- workflows, pinning, GH settings, etc --- .github/workflows/ci.yml | 2 -- .github/workflows/linter.yml | 4 ++++ .github/workflows/release.yml | 11 ++++------- SECURITY.md | 11 +++-------- package-lock.json | 8 ++++---- package.json | 18 +++++++++--------- pre-push | 10 ++-------- preflight | 12 ++++++++++++ 8 files changed, 38 insertions(+), 38 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ad767e0..045757c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,8 +35,6 @@ jobs: - name: Security Audit run: npm audit --omit=dev --audit-level=moderate - # TODO: re-evaluate continue-on-error on Dec 18, 2025 or after js-yaml update - continue-on-error: true - name: Install Dependencies run: npm ci --prefer-offline diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index 978cee7..e118343 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -8,6 +8,10 @@ on: branches: [main] workflow_dispatch: +permissions: + contents: read + statuses: write + # Prevent concurrent runs for the same PR/branch concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1837c33..7e5894a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,9 +18,6 @@ name: "Release" - 'true' - 'false' -permissions: - contents: write - # Prevent concurrent releases concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -30,6 +27,8 @@ jobs: release: runs-on: ubuntu-latest timeout-minutes: 15 + permissions: + contents: write steps: - uses: actions/checkout@v6 @@ -43,8 +42,6 @@ jobs: - name: Security Audit run: npm audit --audit-level=moderate - # TODO: re-evaluate continue-on-error on Dec 18, 2025 or after js-yaml update - continue-on-error: true - name: Install Dependencies and Build run: | @@ -170,13 +167,13 @@ jobs: retention-days: 90 deploy-gh-pages: + permissions: + contents: write runs-on: ubuntu-latest needs: release timeout-minutes: 8 # Only deploy gh-pages on actual releases, not dry-runs if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.dry_run == 'false') - permissions: - contents: write steps: - name: Checkout Tag diff --git a/SECURITY.md b/SECURITY.md index cc8adb6..a653a9a 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -137,7 +137,7 @@ attacks: - Require branches to be up to date before merging: ✓ - Required status checks: - `Analyze (javascript)` - CodeQL security analysis - - `Build Summary` - Build and test completion across Node.js versions + - `build` - Build and test completion across Node.js versions - `Lint Code Base` - Code quality and style checks - **Require signed commits** @@ -153,17 +153,12 @@ attacks: - Only repository administrators can push directly - **Rules applied to administrators** - - Include administrators: ✓ - - Even admins must follow branch protection rules + - Admins can push commits to pull request branches (bypass mode: pull_request) + - Admins still require passing status checks and reviews to merge - **Allow force pushes**: ✗ (disabled) - **Allow deletions**: ✗ (disabled) -#### Additional Protections - -- **Lock branch**: Consider enabling for release branches -- **Do not allow bypassing the above settings**: ✓ - ### Repository Settings Additional security settings enabled: diff --git a/package-lock.json b/package-lock.json index 18664da..9d0a3fd 100644 --- a/package-lock.json +++ b/package-lock.json @@ -15,7 +15,7 @@ "@typescript-eslint/parser": "^8.53.1", "eslint": "^9.39.2", "eslint-plugin-security": "^3.0.1", - "globals": "~17.0.0", + "globals": "~17.1.0", "terser": "~5.46.0", "typescript": "~5.9.3" }, @@ -1120,9 +1120,9 @@ } }, "node_modules/globals": { - "version": "17.0.0", - "resolved": "https://registry.npmjs.org/globals/-/globals-17.0.0.tgz", - "integrity": "sha512-gv5BeD2EssA793rlFWVPMMCqefTlpusw6/2TbAVMy0FzcG8wKJn4O+NqJ4+XWmmwrayJgw5TzrmWjFgmz1XPqw==", + "version": "17.1.0", + "resolved": "https://registry.npmjs.org/globals/-/globals-17.1.0.tgz", + "integrity": "sha512-8HoIcWI5fCvG5NADj4bDav+er9B9JMj2vyL2pI8D0eismKyUvPLTSs+Ln3wqhwcp306i73iyVnEKx3F6T47TGw==", "dev": true, "license": "MIT", "engines": { diff --git a/package.json b/package.json index 4f163c3..42be04c 100644 --- a/package.json +++ b/package.json @@ -9,15 +9,15 @@ }, "description": "Project that makes Safari bookmarklets to automagically jump to the corresponding app and more.", "devDependencies": { - "@eslint/js": "^9.39.2", - "@types/node": "~25.0.10", - "@typescript-eslint/eslint-plugin": "^8.53.1", - "@typescript-eslint/parser": "^8.53.1", - "eslint": "^9.39.2", - "eslint-plugin-security": "^3.0.1", - "globals": "~17.0.0", - "terser": "~5.46.0", - "typescript": "~5.9.3" + "@eslint/js": "9.39.2", + "@types/node": "25.0.10", + "@typescript-eslint/eslint-plugin": "8.53.1", + "@typescript-eslint/parser": "8.53.1", + "eslint": "9.39.2", + "eslint-plugin-security": "3.0.1", + "globals": "17.1.0", + "terser": "5.46.0", + "typescript": "5.9.3" }, "engines": { "node": ">=24.13.0", diff --git a/pre-push b/pre-push index 6a7e6b2..42ff2a3 100755 --- a/pre-push +++ b/pre-push @@ -47,16 +47,10 @@ echo } ## npm security audit -# TODO: re-evaluate non-blocking mode on Dec 18, 2025 or after js-yaml update -# Once js-yaml vulnerabilities are resolved, change to: npm audit --audit-level=moderate || exit 4 echo echo ' Checking for npm security vulnerabilities' -if npm audit --audit-level=moderate ; then - echo " ok, no moderate+ vulnerabilities found." -else - echo " WARNING: npm audit found moderate or higher vulnerabilities (temporarily non-blocking)" - echo " Run 'npm audit' for details" -fi +npm audit --audit-level=moderate || exit 4 +echo " ok, no moderate+ vulnerabilities found." echo # update (or implicit install) node modules diff --git a/preflight b/preflight index 075dfd4..78db497 100755 --- a/preflight +++ b/preflight @@ -109,4 +109,16 @@ fi echo ' scripts/*.js, src/*.ts, .github/linters/*.js: TypeScript & JavaScript OK' echo +## check for @eslint/mcp updates (pinned in .mcp.json) +if [ -f .mcp.json ]; then + MCP_CURRENT=$(sed -n 's/.*@eslint\/mcp@\([0-9][0-9.]*\).*/\1/p' .mcp.json) + if [ -n "$MCP_CURRENT" ]; then + MCP_LATEST=$(npm view @eslint/mcp version 2>/dev/null) + if [ -n "$MCP_LATEST" ] && [ "$MCP_CURRENT" != "$MCP_LATEST" ]; then + echo " NOTE: @eslint/mcp $MCP_LATEST available (pinned: $MCP_CURRENT) - update .mcp.json" + fi + fi +fi +echo + echo ' OK, preflight checks passed.' From 0607a738df49b46cea133000e635a64d5e459bad Mon Sep 17 00:00:00 2001 From: Tom King Date: Fri, 23 Jan 2026 19:02:59 -0800 Subject: [PATCH 2/3] chore(pre-push): check .mcp.json if it exists --- pre-push | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pre-push b/pre-push index 42ff2a3..5999676 100755 --- a/pre-push +++ b/pre-push @@ -47,10 +47,16 @@ echo } ## npm security audit +# TODO: re-evaluate non-blocking mode on Dec 18, 2025 or after js-yaml update +# Once js-yaml vulnerabilities are resolved, change to: npm audit --audit-level=moderate || exit 4 echo echo ' Checking for npm security vulnerabilities' npm audit --audit-level=moderate || exit 4 echo " ok, no moderate+ vulnerabilities found." +else + echo " WARNING: npm audit found moderate or higher vulnerabilities (temporarily non-blocking)" + echo " Run 'npm audit' for details" +fi echo # update (or implicit install) node modules From 566fd88fc9456756d058195439a3787de99a7fe7 Mon Sep 17 00:00:00 2001 From: Tom King Date: Fri, 23 Jan 2026 19:03:39 -0800 Subject: [PATCH 3/3] chore(pre-push): check .mcp.json if it exists --- pre-push | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pre-push b/pre-push index 5999676..6a7e6b2 100755 --- a/pre-push +++ b/pre-push @@ -51,8 +51,8 @@ echo # Once js-yaml vulnerabilities are resolved, change to: npm audit --audit-level=moderate || exit 4 echo echo ' Checking for npm security vulnerabilities' -npm audit --audit-level=moderate || exit 4 -echo " ok, no moderate+ vulnerabilities found." +if npm audit --audit-level=moderate ; then + echo " ok, no moderate+ vulnerabilities found." else echo " WARNING: npm audit found moderate or higher vulnerabilities (temporarily non-blocking)" echo " Run 'npm audit' for details"