Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 55a0f80d73 |
+58
@@ -0,0 +1,58 @@
|
|||||||
|
# Security and sensitive files
|
||||||
|
.env*
|
||||||
|
*.key
|
||||||
|
*.pem
|
||||||
|
*.p12
|
||||||
|
*.pfx
|
||||||
|
secrets/
|
||||||
|
private/
|
||||||
|
config/secrets/
|
||||||
|
|
||||||
|
# Development files
|
||||||
|
node_modules/
|
||||||
|
.npm/
|
||||||
|
.npmrc
|
||||||
|
.nvmrc
|
||||||
|
*.log
|
||||||
|
*.tmp
|
||||||
|
.DS_Store
|
||||||
|
Thumbs.db
|
||||||
|
|
||||||
|
# Build artifacts
|
||||||
|
dist/
|
||||||
|
build/
|
||||||
|
target/
|
||||||
|
*.tgz
|
||||||
|
*.tar.gz
|
||||||
|
|
||||||
|
# IDE files
|
||||||
|
.vscode/
|
||||||
|
.idea/
|
||||||
|
*.swp
|
||||||
|
*.swo
|
||||||
|
*~
|
||||||
|
|
||||||
|
# Test files
|
||||||
|
test/
|
||||||
|
tests/
|
||||||
|
__tests__/
|
||||||
|
*.test.js
|
||||||
|
*.test.ts
|
||||||
|
*.spec.js
|
||||||
|
*.spec.ts
|
||||||
|
|
||||||
|
# Documentation
|
||||||
|
docs/
|
||||||
|
*.md
|
||||||
|
!README.md
|
||||||
|
|
||||||
|
# CI/CD files
|
||||||
|
.github/
|
||||||
|
.gitlab-ci.yml
|
||||||
|
.travis.yml
|
||||||
|
.circleci/
|
||||||
|
azure-pipelines.yml
|
||||||
|
|
||||||
|
# Scripts
|
||||||
|
scripts/
|
||||||
|
!scripts/security-check.sh
|
||||||
@@ -0,0 +1,21 @@
|
|||||||
|
audit-level=moderate
|
||||||
|
fund=false
|
||||||
|
update-notifier=false
|
||||||
|
ignore-scripts=false
|
||||||
|
strict-ssl=true
|
||||||
|
|
||||||
|
registry=https://registry.npmjs.org/
|
||||||
|
audit=true
|
||||||
|
package-lock=true
|
||||||
|
package-lock-only=false
|
||||||
|
save-exact=false
|
||||||
|
|
||||||
|
# use npm ci for production builds (faster and more secure)
|
||||||
|
# this will be enforced in CI/CD scripts
|
||||||
|
|
||||||
|
# prevent installation of optional dependencies that might contain vulnerabilities
|
||||||
|
optional=false
|
||||||
|
audit=true
|
||||||
|
update-notifier=false
|
||||||
|
|
||||||
|
save-exact=false
|
||||||
+17
-2
@@ -45,7 +45,15 @@
|
|||||||
"types:lint:fix": "lerna run lint:fix --scope @nymproject/types --scope @nymproject/nym-wallet-app",
|
"types:lint:fix": "lerna run lint:fix --scope @nymproject/types --scope @nymproject/nym-wallet-app",
|
||||||
"audit:fix": "npm_config_yes=true npx yarn-audit-fix -- --dry-run",
|
"audit:fix": "npm_config_yes=true npx yarn-audit-fix -- --dry-run",
|
||||||
"dev:on": "node sdk/typescript/scripts/dev-mode-add.mjs",
|
"dev:on": "node sdk/typescript/scripts/dev-mode-add.mjs",
|
||||||
"dev:off": "node sdk/typescript/scripts/dev-mode-remove.mjs"
|
"dev:off": "node sdk/typescript/scripts/dev-mode-remove.mjs",
|
||||||
|
"security:audit": "yarn audit --level moderate",
|
||||||
|
"security:audit:fix": "yarn audit --fix",
|
||||||
|
"security:audit:ci": "yarn install --frozen-lockfile && yarn audit --level moderate",
|
||||||
|
"security:check": "yarn audit --level high && yarn list --depth=0",
|
||||||
|
"security:outdated": "yarn outdated",
|
||||||
|
"security:verify": "yarn audit --level moderate && yarn list --depth=0 && yarn outdated",
|
||||||
|
"security:full": "./scripts/security-check.sh",
|
||||||
|
"security:ci": "yarn install --frozen-lockfile && ./scripts/security-check.sh"
|
||||||
},
|
},
|
||||||
"devDependencies": {
|
"devDependencies": {
|
||||||
"@npmcli/node-gyp": "^3.0.0",
|
"@npmcli/node-gyp": "^3.0.0",
|
||||||
@@ -62,6 +70,13 @@
|
|||||||
"@cosmjs/proto-signing": "^0.32.4",
|
"@cosmjs/proto-signing": "^0.32.4",
|
||||||
"@cosmjs/stargate": "^0.32.4",
|
"@cosmjs/stargate": "^0.32.4",
|
||||||
"@cosmjs/cosmwasm-stargate": "^0.32.4",
|
"@cosmjs/cosmwasm-stargate": "^0.32.4",
|
||||||
"cosmjs-types": "^0.9.0"
|
"cosmjs-types": "^0.9.0",
|
||||||
|
"chalk": "5.3.0",
|
||||||
|
"strip-ansi": "7.1.0",
|
||||||
|
"color-convert": "2.0.1",
|
||||||
|
"color-name": "1.1.4",
|
||||||
|
"is-core-module": "2.13.1",
|
||||||
|
"error-ex": "1.3.2",
|
||||||
|
"has-ansi": "5.0.1"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
Executable
+54
@@ -0,0 +1,54 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
echo "starting security checks..."
|
||||||
|
|
||||||
|
if [ ! -f "package.json" ]; then
|
||||||
|
echo "error: package.json not found, please run this script from the project root."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "checking Node.js version..."
|
||||||
|
if [ -f ".nvmrc" ]; then
|
||||||
|
REQUIRED_NODE_VERSION=$(cat .nvmrc)
|
||||||
|
CURRENT_NODE_VERSION=$(node --version | sed 's/v//')
|
||||||
|
echo "required Node.js version: $REQUIRED_NODE_VERSION"
|
||||||
|
echo "current Node.js version: $CURRENT_NODE_VERSION"
|
||||||
|
|
||||||
|
if [ "$CURRENT_NODE_VERSION" != "$REQUIRED_NODE_VERSION" ]; then
|
||||||
|
echo "warning: Node.js version mismatch, consider using nvm to switch to the required version."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "checking .npmrc configuration..."
|
||||||
|
if [ ! -f ".npmrc" ]; then
|
||||||
|
echo "Error: .npmrc file not found, security configurations are missing."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "checking yarn.lock..."
|
||||||
|
if [ ! -f "yarn.lock" ]; then
|
||||||
|
echo "error: yarn.lock not found, run 'yarn install' to generate it."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "running yarn audit..."
|
||||||
|
yarn audit --level moderate
|
||||||
|
|
||||||
|
echo "checking for outdated packages..."
|
||||||
|
yarn outdated || true
|
||||||
|
|
||||||
|
echo "verifying package integrity..."
|
||||||
|
yarn list --depth=0
|
||||||
|
|
||||||
|
echo "checking for known vulnerable packages..."
|
||||||
|
yarn audit --level high
|
||||||
|
|
||||||
|
echo "checking package sources..."
|
||||||
|
yarn list --depth=0 --json | jq -r '.data.trees[] | select(.children) | .children[] | select(.name | test("^https?://(?!registry\\.npmjs\\.org)")) | .name' || true
|
||||||
|
|
||||||
|
echo "checks completed successfully!"
|
||||||
|
echo ""
|
||||||
|
echo "always use 'yarn install --frozen-lockfile' in production environments"
|
||||||
|
|
||||||
Reference in New Issue
Block a user