Skip to content

docs: refine descriptions and mitigations in THREATMODEL.md#10718

Merged
jasonsaayman merged 1 commit intov1.xfrom
fix/refine-threatmodel
Apr 14, 2026
Merged

docs: refine descriptions and mitigations in THREATMODEL.md#10718
jasonsaayman merged 1 commit intov1.xfrom
fix/refine-threatmodel

Conversation

@jasonsaayman
Copy link
Copy Markdown
Member

@jasonsaayman jasonsaayman commented Apr 14, 2026
edited by cubic-dev-ai Bot
Loading

Summary by cubic

Refines the tag-tampering scenario in THREATMODEL.md to use generic wording and clarifies mitigations and residual risks around tag-based publishing. Docs-only; no behavior changes.

Description

  • Summary of changes
    • Generalized the example by removing a specific tag reference; retained v1.99.99 as the out-of-band example.
    • Tightened Mitigations copy to highlight npm re-publish rejection, provenance attestations, and GitHub tag protection.
    • Simplified Gaps to focus on risk of new malicious versions using a generic v1.x.x placeholder.
  • Reasoning
    • Make the threat model version-agnostic and clearer.
    • Reduce ambiguity and keep the residual risk explicit.
  • Additional context
    • Only edits to THREATMODEL.md.

Docs

  • Updates THREATMODEL.md wording for clarity and consistency; no new docs or migration notes.

Testing

  • No tests added or changed; not needed for a docs-only update.

Written for commit 1434fce. Summary will update on new commits.

@jasonsaayman jasonsaayman merged commit 19e9b41 into v1.x Apr 14, 2026
8 of 9 checks passed
@jasonsaayman jasonsaayman deleted the fix/refine-threatmodel branch April 14, 2026 17:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jasonsaayman