UNPKG

@sebastienrousseau/dotfiles

Version:

The Trusted Shell Platform — Universal dotfiles managed by Chezmoi. Features Bash & Zsh for macOS, Linux & WSL. Rust modern tooling & enterprise-grade security.

dotfiles.io

sebastienrousseau/dotfiles

87 lines (64 loc) 3.11 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
--- render_with_liquid: false --- # deps.dev Advisory Exceptions The CI workflow `.github/workflows/deps-dev-validation.yml` scans direct dependencies (npm + PyPI + GitHub Actions) against the [deps.dev Insights API](https://docs.deps.dev/) on every PR, every push to `master`, and every Tuesday at 04:00 UTC. When an advisory is reported at or above the threshold (default `HIGH`), the workflow fails. This page is where time-bound exceptions live. An entry here suppresses the check for one specific `(ecosystem, package)` pair, with an expiry date so the exception cannot accumulate quietly. Managed under [#877](https://github.com/sebastienrousseau/dotfiles/issues/877). ## Active exceptions *(none currently)* ## Adding an exception Add an entry below in this exact format — the scanner greps for `` `<ecosystem>:<package>` `` at the start of a line (case-sensitive, backtick-delimited): ``` `NPM:lodash` (expires 2026-12-31): Maintained fork; advisory affects only the unused stream-API code path. Confirmed via static analysis. Tracked under #NNNN. ``` `<ecosystem>` is one of: | Ecosystem | Source | |---|---| | `NPM` | `package.json` direct deps | | `PYPI` | `pyproject.toml` direct deps | | `GITHUB_ACTIONS` | `uses:` references in `.github/workflows/*.yml` | `(expires YYYY-MM-DD)` is required. Use a 90-day window for routine work; longer windows need a sentence explaining why and a follow-up issue link. ## When to add vs not add **Legitimate exception**: - The advisory is in a code path your usage doesn't reach (e.g. vulnerable function isn't called by anything in this repo). - The upstream fix is in flight and you've already opened a PR or bumped to a beta. - The package is end-of-life and you're tracking the migration to a successor under a dedicated issue. **Not an exception** — fix the dep instead: - "Bumping the version is annoying" — that's the whole point of the gate. - "The advisory might be a false positive" — verify via deps.dev's underlying source; if confirmed FP, file with deps.dev rather than exception here. - "We don't have time this sprint" — that's a deferral, not an exception. Bump the issue to next sprint, don't suppress. ## Expiry policy The scanner does not currently parse expiry dates (deferred — needs a date-comparison helper). A monthly maintainer review of this page is the human gate. Any entry past its expiry should either be resolved (dep bumped, exception removed) or re-justified with a new expiry. When the date-parsing automation lands, expired exceptions will auto-fail the gate even when they're still listed here. ## References - [`tools/ci/check-deps-dev.sh`](../../tools/ci/check-deps-dev.sh) — the scanner. - [`.github/workflows/deps-dev-validation.yml`](../../.github/workflows/deps-dev-validation.yml) — CI wiring. - [`tests/unit/security/test_check_deps_dev.sh`](../../tests/unit/security/test_check_deps_dev.sh) — contract test against canned fixtures. - [deps.dev API reference](https://docs.deps.dev/api/v3/). - Issue [#877](https://github.com/sebastienrousseau/dotfiles/issues/877).