UNPKG

@narthia/jira-client

Version:

A TypeScript Jira API client with dual ESM/CJS support for Jira REST API and Atlassian Forge applications. Zero runtime dependencies.

95 lines (60 loc) 2.92 kB
# Security Policy ## Supported Versions We actively support the following versions with security updates: | Version | Supported | | ------- | ------------------ | | 0.2.x | :white_check_mark: | | 0.1.x | :white_check_mark: | | < 0.1 | :x: | **Note**: We recommend always using the latest version for the best security and feature support. ## Reporting a Vulnerability If you discover a security vulnerability, please report it responsibly: **Email**: jeevanreddy1999@gmail.com **GitHub Issues**: [Create a security issue](https://github.com/narthia/jira-client/issues/new?template=security.md) ### What to Include When reporting a vulnerability, please include: - A clear description of the vulnerability - Steps to reproduce the issue - Potential impact assessment - Suggested fix (if applicable) ### Response Timeline We will: - Acknowledge receipt within 48 hours - Provide a timeline for investigation and resolution - Keep you informed of progress - Credit you in the security advisory (if desired) - Release a patch as quickly as possible ## Security Features This package is designed with security in mind: - **Secure Authentication**: Uses industry-standard API token authentication - **HTTPS Only**: All network requests use secure HTTPS connections - **No Code Execution**: Does not use `eval()`, `Function()`, or other code execution methods - **Immutable Configuration**: Configuration objects are frozen to prevent runtime modification ## Network Access This package makes network requests only to: - Your configured Jira instance (HTTPS only) - Atlassian Forge API (when used in Forge applications) All network access is for legitimate API communication with Jira services. No data is sent to third-party services. ## Security Best Practices for Users When using this package: 1. **Secure API Tokens**: Store Jira API tokens securely using environment variables or secure credential management 2. **HTTPS Only**: Always use HTTPS URLs for your Jira baseUrl 3. **Principle of Least Privilege**: Use API tokens with minimal required permissions 4. **Regular Updates**: Keep the package updated to the latest version 5. **Token Rotation**: Regularly rotate your Jira API tokens ## Dependencies - **Runtime Dependencies**: None (for standard usage) - **Peer Dependencies**: `@forge/api` (optional, only for Forge applications) - **Dev Dependencies**: All development dependencies are regularly audited for vulnerabilities ## Audit Information This package is regularly audited for security vulnerabilities using: - npm audit - Manual security reviews ## Security Disclosures Security vulnerabilities will be disclosed through: - Package release notes - Direct communication to affected users (for critical issues) ## Compliance This package is designed to comply with: - Node.js security best practices - TypeScript security recommendations