Reboot Security 🔒

[UlisesGascon]

Overview

Related to yeoman/yeoman#1779

The goal of this security plan is to ensure that Yeoman remains a secure, reliable tool for the community. By defining clear policies, roles, and responsibilities—and by proactively monitoring and mitigating vulnerabilities—we can help protect Yeoman users from potential threats.

General Approach

1. Establish a clear reporting process
   • Provide a transparent path for security researchers and community members to report vulnerabilities.
2. Maintain secure development practices
   • Regularly review code, update dependencies, and follow security best practices.
3. Audit and monitor
   • Continuously track known vulnerabilities, apply patches, and communicate risks to stakeholders.

Backlog

• Define a comprehensive SECURITY.md at the organization level
  • Document a responsible disclosure policy (including how to report security issues and expected response times).
  • Include guidance on how vulnerabilities are triaged and fixed.
  • See: docs: add a security policy #2
• Create a .github repository or folder for organization-wide resources
• Implement OSSF Scorecard recommendations
  • Monitor the current score and track improvements over time: (OpenSSF Scorecard Report Updated #3 and reports)
  • Address suggested remediation steps (e.g., signing releases, enabling branch protection rules, automating dependency checks, SAST, CI/CD Pipeline Hardening, etc.).
  • Final report: Reboot Security 🔒 #1 (comment)
• Review CVEs for known vulnerabilities
  • Evaluate Yeoman’s repos and dependencies against reported CVEs.
  • Patch or mitigate as necessary.
  • Analysis: 📌 Project Status: Maintenance Reboot yeoman#1779 (comment)
• Create a threat model
  • Use examples from Express and Node.js as references.
  • Outline potential attack vectors, likely threat agents, and mitigation strategies.
  • See: docs: add a threat model for the project #21
• Review and update GitHub teams/permissions
  • Ensure the principle of least privilege is followed.
  • Restrict sensitive actions (e.g., publishing, merging to main) to trusted maintainers/contributors.
• Review and update teams/permissions on npm
  • Verify correct ownership and publishing rights.
  • Rotate access tokens or credentials (if needed).
• Update vulnerable dependencies
  • Identify and upgrade libraries with known vulnerabilities.
• Plan releases to improve project security posture
  • Create a new release for each library if more than a year has passed since the previous release.
  • See Backlog: Deprecations and releases #28

Notes

This is an open discussion, and this backlog may evolve over time as we implement these actions. Feel free to participate and suggest additional improvements. 👍