Skip to content

docs: add SECURITY.md and CONTRIBUTING.md#1866

Merged
dhensby merged 2 commits into
masterfrom
dhensby/add-security-policy
Jun 5, 2026
Merged

docs: add SECURITY.md and CONTRIBUTING.md#1866
dhensby merged 2 commits into
masterfrom
dhensby/add-security-policy

Conversation

@dhensby
Copy link
Copy Markdown
Collaborator

@dhensby dhensby commented Jun 5, 2026
edited
Loading

Summary

Adds two community health docs so the project has clearly defined, easy-to-follow guidance for security researchers and contributors. Neither existed before, and there is no org-level .github repo providing defaults.

Both docs were modelled on established examples (Node.js, Sequelize, GitHub's recommended templates) and tailored to node-mssql's actual conventions.

SECURITY.md

  • Supported Versions — security fixes for the latest major line (12.x) only, with an upgrade pointer.
  • Reporting a Vulnerability — routes reporters through GitHub private vulnerability reporting (with a direct "Report a vulnerability" link), explicitly discourages public issues/PRs/discussions, and offers a no-details fallback.
  • What to include — impact, affected version(s), driver (tedious/msnodesqlv8), repro steps, PoC, and mitigations.
  • What to Expect — honest, community-project response timelines (3 business days to acknowledge, 10 to assess).
  • Coordinated Disclosure — confirm → fix + CVE/advisory → release with credit.
  • Scope — clarifies node-mssql vs. tedious/SQL Server, and lists out-of-scope cases.
  • Recognition — credit unless the reporter prefers anonymity.

Private vulnerability reporting has been enabled on the repo, so the "Report a vulnerability" link in the policy is live.

CONTRIBUTING.md

  • Reporting issues — points security reports at SECURITY.md, and documents the bug/feature-request expectations.
  • Development setup — Node.js >= 18.19.0, npm install, and a table of the test scripts (npm test, test-unit, test-tedious, test-msnodesqlv8, test-cli) plus how to run a single test and the dev-container note for integration tests.
  • Coding standards — StandardJS, the driver-agnostic lib/base vs. driver-impl layout, dual Promise/callback API, and test placement.
  • Commit messages — Conventional Commits with a type → release-impact table (commitlint + semantic-release enforced).
  • Pull requests — branch from master, atomic commits, rebase (not merge) to stay current, merge-commit strategy, and the PR checklist.

Not included

A Code of Conduct was intentionally left out for now given the size of the community; it can be added later via GitHub's template flow if that changes.

@dhensby
docs: add SECURITY.md security policy
331231a 
Add a security policy describing supported versions, how to privately
report vulnerabilities via GitHub private vulnerability reporting, what
to include in a report, expected response timelines, the coordinated
disclosure process, and scope.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@dhensby dhensby changed the title docs: add SECURITY.md security policy docs: add SECURITY.md and CONTRIBUTING.md Jun 5, 2026
@dhensby
docs: add CONTRIBUTING.md
c91ac8d 
Document how to report issues, set up a development environment, run the
test suites, follow the StandardJS and Conventional Commits conventions,
and submit pull requests.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@dhensby dhensby force-pushed the dhensby/add-security-policy branch from 4d50526 to c91ac8d Compare June 5, 2026 15:10
@dhensby dhensby merged commit 9a1f1a8 into master Jun 5, 2026
136 of 187 checks passed
@dhensby dhensby deleted the dhensby/add-security-policy branch June 5, 2026 16:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dhensby