docs: Add Security Advisory Policy for vega#4008
Conversation
| To setup a development environment follow the [Build Instructions in README.md](https://github.com/vega/vega/#Build-Instructions). We use [Yarn workspaces](https://yarnpkg.com/lang/en/docs/workspaces/) and [lerna](https://github.com/lerna/lerna) to manage the monorepo packages. | ||
| To setup a development environment follow the [Build Instructions in README.md](#build-instructions). We use [Yarn workspaces](https://yarnpkg.com/lang/en/docs/workspaces/) and [lerna](https://github.com/lerna/lerna) to manage the monorepo packages. | ||
|
|
||
| ## Build Instructions |
There was a problem hiding this comment.
This section was lifted without modifications from README.md
| - After running either `yarn test` or `yarn build`, run `yarn serve` to launch a local web server — your default browser will open and you can browse to the `"test"` folder to view test specifications. | ||
|
|
||
| This repository includes the Vega website and documentation in the `docs` folder. To launch the website locally, first run `bundle install` in the `docs` folder to install the necessary Jekyll libraries. Afterwards, use `yarn docs` to build the documentation and launch a local webserver. After launching, you can open [`http://127.0.0.1:4000/vega/`](http://127.0.0.1:4000/vega/) to see the website. | ||
| Try using Vega in the online [Vega Editor](https://vega.github.io/editor/#/examples/vega/bar-chart). |
There was a problem hiding this comment.
This is based on a similar line in the Vega-Lite readme.md to encourage people to try the library right away without having to install anything.
|
|
||
| ## Internet Explorer Support | ||
| For backwards compatibility, Vega includes a [babel-ified](https://babeljs.io/) IE-compatible version of the code in the `packages/vega/build-es5` directory. Older browser would also require several polyfill libraries: | ||
| For backwards compatibility, Vega includes a [babel-ified](https://babeljs.io/) IE-compatible version of the code in the `packages/vega/build-es5` directory. Older browsers also require these polyfill libraries: |
There was a problem hiding this comment.
I considered moving this section on IE into Contributing / Development as well, but decided to leave it in place. I'm not sure how relevant this section still is to keep on the homepage given the default MSFT browser has been Edge for 10 years.
There was a problem hiding this comment.
Let's delete it in the next major version.
There was a problem hiding this comment.
Noting this as part of the ESM support (since switching over would end that compatibility): #3990
| @@ -0,0 +1,21 @@ | |||
| # Security | |||
|
|
|||
There was a problem hiding this comment.
I blended the Github and Electron README's together.
We could alternately put this directly in our .github community folder to have a policy that applies to all repos in the vega org, but I figured it would be safe and meaningful to start with vega/vega (since this is the core browser runtime that every other package is importing).
There was a problem hiding this comment.
Yeah, makes sense to have one for Vega specifically. We could also link to the org one for more info so we only have to maintain one place.
vegavega
SECURITY.md
Outdated
|
|
||
| ## Preferred Languages | ||
|
|
||
| We prefer communications to be in English. |
| Try using Vega in the online [Vega Editor](https://vega.github.io/editor/#/examples/vega/bar-chart). | ||
|
|
||
| ## Internet Explorer Support | ||
| For backwards compatibility, Vega includes a [babel-ified](https://babeljs.io/) IE-compatible version of the code in the `packages/vega/build-es5` directory. Older browser would also require several polyfill libraries: |
There was a problem hiding this comment.
We should get rid of that actually. But not here.
There was a problem hiding this comment.
Makes sense to handle that in a separate issue 👍
SECURITY.md
Outdated
|
|
||
| A Vega maintainer will send a response indicating next steps in handling your report. After the initial reply, the team will keep you informed of the progress towards a fix and announcement, and may ask for additional information or guidance. | ||
|
|
||
| You can also report a vulnerability through the [npm contact form](https://www.npmjs.com/support) by selecting "I'm reporting a security vulnerability". |
There was a problem hiding this comment.
I believe the NPM security team would contact the account owner for https://www.npmjs.com/package/vega . I'm including this mainly so that someone without a Github account has a way to reach us.
If we would find this redundant with the Github security advisory feature, I can remove it.
There was a problem hiding this comment.
Yeah, let's remove it and have one clear path.
| @@ -0,0 +1,21 @@ | |||
| # Security | |||
There was a problem hiding this comment.
Is there a way to have an org wide document rather than per repo?
There was a problem hiding this comment.
Added a modified proposal to the shared repo vega/.github#20 . It will fill in for any repos that are missing a local security advisory.
a9cf317 to
e1f6639
Compare
SECURITY.md
Outdated
|
|
||
| ## Languages | ||
|
|
||
| Communications should be in English. |
There was a problem hiding this comment.
I think we can delete that since we already have that for the org. If we ever get a request not in English, we can respond.
| @@ -0,0 +1,21 @@ | |||
| # Security | |||
|
|
|||
There was a problem hiding this comment.
Yeah, makes sense to have one for Vega specifically. We could also link to the org one for more info so we only have to maintain one place.
e1f6639 to
15e5e62
Compare
15e5e62 to
170ac17
Compare
|
Can we just not do anything specific here? Or just add a short reference to the org one?
|
|
The main reason to have a dedicated one for Vega/Vega vs reusing the org
one is to have an updated link for the “report a vulnerability” tab, and so
people have a copy of this file when they git clone.
You are right that most of the document is the same as in the org link. We
could shorten this doc to just the pointer to the org link and the
intro/report a vulnerability link if we prefer. There’s already a link to
the org one at the bottom of the security.MD in this PR.
…On Mon, Feb 3, 2025 at 4:47 PM Dominik Moritz ***@***.***> wrote:
Can we just not do anything specific here? Or just add a short reference
to the org one?
Screenshot.2025-02-03.at.16.45.52.png (view on web)
<https://github.com/user-attachments/assets/0baa02bb-6859-4bd8-9069-97ffc0716226>
—
Reply to this email directly, view it on GitHub
<#4008 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACE2MM2KS27EYQMT3XXT2DT2N7PX7AVCNFSM6AAAAABWJ2S6FOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMZSGE2DQMZSGU>
.
You are receiving this because you were assigned.Message ID:
***@***.***>
|
Yes, that was what I was thinking. |
Changes since v5.31.0 **vega-expression** * Add base64 string encoder/decoder to `vega-expression` and `vega-interpreter` (via #4009). (Thanks @hydrosquall!) **vega-typings** * Add Typescript Types for `vega-loader` (via #4000). (Thanks @hydrosquall!) **docs** * Correct data year citation in dorling-cartogram example (via #4006). (Thanks @dsmedia!) * Update typo in vega.timeFloor description (via #4010). (Thanks @hydrosquall!) * Add Security Advisory Policy for Vega (via #4008). (Thanks @hydrosquall!) * Replace redirect url in `expressions.md` (via #3996). (Thanks @dangotbanned!) * correct queries to query in `crossfilter.md` (via #4005). (Thanks @danmarshall!) --------- Signed-off-by: Lukas Hermann <1734032+lsh@users.noreply.github.com>
Motivation
Changes
SECURITY.md(Security Policy), following a slack discussion in the Maintainers channel. This is based onVegaREADME a bit more like theVega-Liteone (shorter and with more direct docs links). I can revert these changes if preferred, I figured it didn't hurt to propose them.