From 331231ab1f1e4517bf42158b9b4a064c46e59e55 Mon Sep 17 00:00:00 2001 From: Dan Hensby Date: Fri, 5 Jun 2026 09:21:47 +0100 Subject: [PATCH 1/2] docs: add SECURITY.md security policy Add a security policy describing supported versions, how to privately report vulnerabilities via GitHub private vulnerability reporting, what to include in a report, expected response timelines, the coordinated disclosure process, and scope. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- SECURITY.md | 79 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..9be01699 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,79 @@ +# Security Policy + +The `node-mssql` maintainers take the security of this library seriously, and we appreciate the efforts of security researchers and users who responsibly report vulnerabilities to us. This document explains which versions are supported, how to report a vulnerability, and what you can expect from us in return. + +## Supported Versions + +Security fixes are only provided for the latest major release line. We strongly recommend always running the most recent release. + +| Version | Supported | +| ------- | ------------------ | +| 12.x | :white_check_mark: | +| < 12.0 | :x: | + +If you are on an older major version, please upgrade to the latest `12.x` release to receive security fixes. The [changelog](https://github.com/tediousjs/node-mssql/releases) documents any breaking changes to help you upgrade. + +## Reporting a Vulnerability + +**Please do not report security vulnerabilities through public GitHub issues, pull requests, or discussions.** + +Instead, report them privately through GitHub's [private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability): + +1. Go to the **[Security](https://github.com/tediousjs/node-mssql/security)** tab of the repository. +2. Click **Report a vulnerability** to open the advisory form ([direct link](https://github.com/tediousjs/node-mssql/security/advisories/new)). +3. Fill in as much detail as you can (see below) and submit. + +This creates a private channel between you and the maintainers where we can discuss, triage, and fix the issue before any public disclosure. + +If you are unable to use GitHub's private reporting for any reason, you may open a regular issue that contains **no vulnerability details** and simply asks a maintainer to get in touch about a security matter. + +### What to include + +A good report helps us validate and fix the issue quickly. Where possible, please include: + +- A description of the vulnerability and its impact (e.g. SQL injection, denial of service, information disclosure). +- The affected version(s) of `node-mssql`, and the driver in use (`tedious` or `msnodesqlv8`) if relevant. +- Step-by-step instructions to reproduce, ideally with a minimal code sample. +- Any proof-of-concept code, logs, or screenshots that demonstrate the issue. +- Any known mitigations or workarounds. + +You do not need a complete analysis to report — if you have found something concerning but are unsure of its full impact, please still reach out. + +## What to Expect + +`node-mssql` is a community-maintained open source project. We will do our best to respond promptly, but please understand that response times depend on maintainer availability. + +- **Acknowledgement:** We aim to acknowledge your report within **3 business days**. +- **Assessment:** We aim to provide an initial assessment, including whether we accept the report and a rough severity, within **10 business days**. +- **Updates:** We will keep you informed of our progress toward a fix and may ask for additional information or guidance. +- **Resolution:** Once a fix is ready, we will coordinate a release and public disclosure with you (see below). + +If you do not receive a response within a reasonable time, please send a gentle reminder by commenting on the advisory. + +## Coordinated Disclosure + +We follow a coordinated disclosure process: + +1. We confirm the vulnerability and determine the affected versions. +2. We prepare a fix and, where appropriate, request a [CVE](https://www.cve.org/) and draft a GitHub Security Advisory. +3. We release a patched version and publish the advisory, crediting the reporter (unless you prefer to remain anonymous). + +Please give us a reasonable opportunity to release a fix before disclosing the issue publicly. We are happy to agree on a disclosure timeline with you and will work to resolve accepted vulnerabilities as quickly as is practical. + +## Scope + +This policy covers security issues in the `node-mssql` library itself (the code in this repository, published to npm as [`mssql`](https://www.npmjs.com/package/mssql)). + +Vulnerabilities in dependencies (such as [`tedious`](https://github.com/tediousjs/tedious)) or in Microsoft SQL Server itself should be reported to the relevant project. If you are unsure where an issue belongs, report it to us and we will help route it. + +The following are generally **out of scope**: + +- Vulnerabilities that require a malicious or compromised SQL Server, network position, or operating system that the application already implicitly trusts. +- Reports from automated scanners without a demonstrated, exploitable impact on `node-mssql`. +- Insecure usage patterns in application code that arise from ignoring the documented, parameterised query APIs (e.g. building queries via unsanitised string concatenation when a safe API is available). + +When in doubt, report it — we would rather review an out-of-scope report than miss a real issue. + +## Recognition + +We are grateful to everyone who helps keep `node-mssql` and its users safe. Unless you ask to remain anonymous, we will credit you in the published security advisory and release notes. From c91ac8d96cee160838249ac3c1a039bf69d1e1ba Mon Sep 17 00:00:00 2001 From: Dan Hensby Date: Fri, 5 Jun 2026 11:09:34 +0100 Subject: [PATCH 2/2] docs: add CONTRIBUTING.md Document how to report issues, set up a development environment, run the test suites, follow the StandardJS and Conventional Commits conventions, and submit pull requests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- CONTRIBUTING.md | 94 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 CONTRIBUTING.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 00000000..fca467a7 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,94 @@ +# Contributing to node-mssql + +Thanks for your interest in contributing to `node-mssql`! This project is community-maintained, and contributions of all kinds — bug reports, documentation, and code — are welcome. + +This guide covers how to report issues, set up a development environment, and submit changes that fit the project's conventions. + +## Reporting Issues + +### Security vulnerabilities + +**Do not** open public issues for security vulnerabilities. Please follow our [Security Policy](SECURITY.md) and report them privately instead. + +### Bugs + +Before opening a bug report, please search [existing issues](https://github.com/tediousjs/node-mssql/issues) to avoid duplicates. When you open a new issue, the issue template will ask for the information maintainers need to triage it effectively, including: + +- Expected and actual behaviour, with relevant SQL and schema where possible. +- A minimal, reproducible example. +- Software versions: Node.js, `mssql`, and SQL Server. + +### Feature requests + +Feature requests are welcome — please open an issue describing the use case and the problem you are trying to solve, rather than only a proposed implementation. + +## Development Setup + +1. Fork and clone the repository. +2. Ensure you are running a supported Node.js version. The project requires **Node.js >= 18.19.0** (see the `engines` field in `package.json`). +3. Install dependencies: + + ```bash + npm install + ``` + +### Running the tests + +| Command | Description | +| ------- | ----------- | +| `npm test` | Runs the linter (StandardJS) followed by the unit tests. This is the baseline check that must pass. | +| `npm run lint` | Runs StandardJS only. | +| `npm run test-unit` | Runs the unit tests only. No database required. | +| `npm run test-tedious` | Runs the integration tests against a live SQL Server using the `tedious` driver. | +| `npm run test-msnodesqlv8` | Runs the integration tests using the `msnodesqlv8` driver. | +| `npm run test-cli` | Runs the CLI tool tests. | + +To run a single unit test by name: + +```bash +npx mocha --exit -t 15000 --grep "test name" test/common/unit.js +``` + +### Integration tests + +The integration tests require a running SQL Server instance configured in `test/.mssql.json` (see `.devcontainer/.mssql.json` for the expected shape). The included [dev container](https://containers.dev/) sets up both Node.js and SQL Server via Docker Compose, which is the easiest way to run the full suite locally. + +Unit tests (`npm run test-unit`) do **not** require a database, so you can develop and validate most changes without a SQL Server instance. + +## Coding Standards + +- **Style:** The project uses [StandardJS](https://standardjs.com/) — no semicolons, 2-space indentation, single quotes. There is no config file or override; run `npm run lint` to check your work, and `npx standard --fix` to auto-fix many issues. +- **Driver-agnostic design:** Shared, public API lives in `lib/base/`; driver-specific implementations live in `lib/tedious/` and `lib/msnodesqlv8/` and override private methods prefixed with an underscore (e.g. `_poolCreate`, `_executeQuery`). +- **Dual API:** Async methods should support both Promises and callbacks. +- **Tests:** Add or update tests for any behavioural change. Unit tests go in `test/common/unit.js`; integration tests are added to the shared factory in `test/common/tests.js` so they run against every driver. + +## Commit Messages + +Commit messages **must** follow the [Conventional Commits](https://www.conventionalcommits.org/) specification. This is enforced by commitlint, and [semantic-release](https://semantic-release.gitbook.io/) uses these messages to automate versioning and changelog generation — so using the correct type matters. + +| Type | When to use it | Release impact | +| ---- | -------------- | -------------- | +| `fix` | Bug fixes or behavioural corrections that don't change the public interface | **patch** | +| `feat` | New backwards-compatible functionality | **minor** | +| `feat!` (or any type with `!`, or a `BREAKING CHANGE:` footer) | Changes that require consumers to update their code | **major** | +| `chore` | Dependency updates, tooling, housekeeping | none | +| `ci` | CI pipeline or workflow configuration changes | none | +| `docs` | Documentation-only changes | none | +| `style` | Formatting or stylistic changes that don't affect behaviour | none | +| `refactor` | Code changes that neither fix a bug nor add a feature | none | +| `test` | Changes that only touch tests | none | + +Only `fix` and `feat` trigger a release. If a change needs to be released but doesn't neatly fit either, choose whichever is most appropriate to ensure a release is created. + +## Pull Requests + +- **Branch from an up-to-date `master`.** All changes go through a pull request — there are no direct commits to `master`. +- **Keep commits atomic.** Each commit should be a self-contained, deployable change with linting, commitlint, and tests passing. Don't mix unrelated changes (e.g. a bug fix and a documentation tweak) in one commit. +- **Keep your branch current by rebasing** onto `master` rather than merging `master` into your branch. +- **PRs are merged with a merge commit** (no squash or rebase merge), so each commit in your PR is preserved in history. Please keep that history clean. +- Fill out the pull request template, link any related issues, and update the changelog where applicable. +- Make sure `npm test` passes before requesting review. + +For additional background, see the [Contributing page on the project wiki](https://github.com/tediousjs/node-mssql/wiki/Contributing). + +Thanks again for contributing!