Skip to content

docs: add SECURITY.md and CONTRIBUTING.md #1866

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dhensby merged 2 commits into from
Jun 5, 2026
+173 −0
Merged

docs: add SECURITY.md and CONTRIBUTING.md #1866

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
331231a
docs: add SECURITY.md security policy
dhensby Jun 5, 2026
c91ac8d
docs: add CONTRIBUTING.md
dhensby Jun 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
94 changes: 94 additions & 0 deletions CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
# Contributing to node-mssql

Thanks for your interest in contributing to `node-mssql`! This project is community-maintained, and contributions of all kinds — bug reports, documentation, and code — are welcome.

This guide covers how to report issues, set up a development environment, and submit changes that fit the project's conventions.

## Reporting Issues

### Security vulnerabilities

**Do not** open public issues for security vulnerabilities. Please follow our [Security Policy](SECURITY.md) and report them privately instead.

### Bugs

Before opening a bug report, please search [existing issues](https://github.com/tediousjs/node-mssql/issues) to avoid duplicates. When you open a new issue, the issue template will ask for the information maintainers need to triage it effectively, including:

- Expected and actual behaviour, with relevant SQL and schema where possible.
- A minimal, reproducible example.
- Software versions: Node.js, `mssql`, and SQL Server.

### Feature requests

Feature requests are welcome — please open an issue describing the use case and the problem you are trying to solve, rather than only a proposed implementation.

## Development Setup

1. Fork and clone the repository.
2. Ensure you are running a supported Node.js version. The project requires **Node.js >= 18.19.0** (see the `engines` field in `package.json`).
3. Install dependencies:

```bash
npm install
```

### Running the tests

| Command | Description |
| ------- | ----------- |
| `npm test` | Runs the linter (StandardJS) followed by the unit tests. This is the baseline check that must pass. |
| `npm run lint` | Runs StandardJS only. |
| `npm run test-unit` | Runs the unit tests only. No database required. |
| `npm run test-tedious` | Runs the integration tests against a live SQL Server using the `tedious` driver. |
| `npm run test-msnodesqlv8` | Runs the integration tests using the `msnodesqlv8` driver. |
| `npm run test-cli` | Runs the CLI tool tests. |

To run a single unit test by name:

```bash
npx mocha --exit -t 15000 --grep "test name" test/common/unit.js
```

### Integration tests

The integration tests require a running SQL Server instance configured in `test/.mssql.json` (see `.devcontainer/.mssql.json` for the expected shape). The included [dev container](https://containers.dev/) sets up both Node.js and SQL Server via Docker Compose, which is the easiest way to run the full suite locally.

Unit tests (`npm run test-unit`) do **not** require a database, so you can develop and validate most changes without a SQL Server instance.

## Coding Standards

- **Style:** The project uses [StandardJS](https://standardjs.com/) — no semicolons, 2-space indentation, single quotes. There is no config file or override; run `npm run lint` to check your work, and `npx standard --fix` to auto-fix many issues.
- **Driver-agnostic design:** Shared, public API lives in `lib/base/`; driver-specific implementations live in `lib/tedious/` and `lib/msnodesqlv8/` and override private methods prefixed with an underscore (e.g. `_poolCreate`, `_executeQuery`).
- **Dual API:** Async methods should support both Promises and callbacks.
- **Tests:** Add or update tests for any behavioural change. Unit tests go in `test/common/unit.js`; integration tests are added to the shared factory in `test/common/tests.js` so they run against every driver.

## Commit Messages

Commit messages **must** follow the [Conventional Commits](https://www.conventionalcommits.org/) specification. This is enforced by commitlint, and [semantic-release](https://semantic-release.gitbook.io/) uses these messages to automate versioning and changelog generation — so using the correct type matters.

| Type | When to use it | Release impact |
| ---- | -------------- | -------------- |
| `fix` | Bug fixes or behavioural corrections that don't change the public interface | **patch** |
| `feat` | New backwards-compatible functionality | **minor** |
| `feat!` (or any type with `!`, or a `BREAKING CHANGE:` footer) | Changes that require consumers to update their code | **major** |
| `chore` | Dependency updates, tooling, housekeeping | none |
| `ci` | CI pipeline or workflow configuration changes | none |
| `docs` | Documentation-only changes | none |
| `style` | Formatting or stylistic changes that don't affect behaviour | none |
| `refactor` | Code changes that neither fix a bug nor add a feature | none |
| `test` | Changes that only touch tests | none |

Only `fix` and `feat` trigger a release. If a change needs to be released but doesn't neatly fit either, choose whichever is most appropriate to ensure a release is created.

## Pull Requests

- **Branch from an up-to-date `master`.** All changes go through a pull request — there are no direct commits to `master`.
- **Keep commits atomic.** Each commit should be a self-contained, deployable change with linting, commitlint, and tests passing. Don't mix unrelated changes (e.g. a bug fix and a documentation tweak) in one commit.
- **Keep your branch current by rebasing** onto `master` rather than merging `master` into your branch.
- **PRs are merged with a merge commit** (no squash or rebase merge), so each commit in your PR is preserved in history. Please keep that history clean.
- Fill out the pull request template, link any related issues, and update the changelog where applicable.
- Make sure `npm test` passes before requesting review.

For additional background, see the [Contributing page on the project wiki](https://github.com/tediousjs/node-mssql/wiki/Contributing).

Thanks again for contributing!
79 changes: 79 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
# Security Policy

The `node-mssql` maintainers take the security of this library seriously, and we appreciate the efforts of security researchers and users who responsibly report vulnerabilities to us. This document explains which versions are supported, how to report a vulnerability, and what you can expect from us in return.

## Supported Versions

Security fixes are only provided for the latest major release line. We strongly recommend always running the most recent release.

| Version | Supported |
| ------- | ------------------ |
| 12.x | :white_check_mark: |
| < 12.0 | :x: |

If you are on an older major version, please upgrade to the latest `12.x` release to receive security fixes. The [changelog](https://github.com/tediousjs/node-mssql/releases) documents any breaking changes to help you upgrade.

## Reporting a Vulnerability

**Please do not report security vulnerabilities through public GitHub issues, pull requests, or discussions.**

Instead, report them privately through GitHub's [private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability):

1. Go to the **[Security](https://github.com/tediousjs/node-mssql/security)** tab of the repository.
2. Click **Report a vulnerability** to open the advisory form ([direct link](https://github.com/tediousjs/node-mssql/security/advisories/new)).
3. Fill in as much detail as you can (see below) and submit.

This creates a private channel between you and the maintainers where we can discuss, triage, and fix the issue before any public disclosure.

If you are unable to use GitHub's private reporting for any reason, you may open a regular issue that contains **no vulnerability details** and simply asks a maintainer to get in touch about a security matter.

### What to include

A good report helps us validate and fix the issue quickly. Where possible, please include:

- A description of the vulnerability and its impact (e.g. SQL injection, denial of service, information disclosure).
- The affected version(s) of `node-mssql`, and the driver in use (`tedious` or `msnodesqlv8`) if relevant.
- Step-by-step instructions to reproduce, ideally with a minimal code sample.
- Any proof-of-concept code, logs, or screenshots that demonstrate the issue.
- Any known mitigations or workarounds.

You do not need a complete analysis to report — if you have found something concerning but are unsure of its full impact, please still reach out.

## What to Expect

`node-mssql` is a community-maintained open source project. We will do our best to respond promptly, but please understand that response times depend on maintainer availability.

- **Acknowledgement:** We aim to acknowledge your report within **3 business days**.
- **Assessment:** We aim to provide an initial assessment, including whether we accept the report and a rough severity, within **10 business days**.
- **Updates:** We will keep you informed of our progress toward a fix and may ask for additional information or guidance.
- **Resolution:** Once a fix is ready, we will coordinate a release and public disclosure with you (see below).

If you do not receive a response within a reasonable time, please send a gentle reminder by commenting on the advisory.

## Coordinated Disclosure

We follow a coordinated disclosure process:

1. We confirm the vulnerability and determine the affected versions.
2. We prepare a fix and, where appropriate, request a [CVE](https://www.cve.org/) and draft a GitHub Security Advisory.
3. We release a patched version and publish the advisory, crediting the reporter (unless you prefer to remain anonymous).

Please give us a reasonable opportunity to release a fix before disclosing the issue publicly. We are happy to agree on a disclosure timeline with you and will work to resolve accepted vulnerabilities as quickly as is practical.

## Scope

This policy covers security issues in the `node-mssql` library itself (the code in this repository, published to npm as [`mssql`](https://www.npmjs.com/package/mssql)).

Vulnerabilities in dependencies (such as [`tedious`](https://github.com/tediousjs/tedious)) or in Microsoft SQL Server itself should be reported to the relevant project. If you are unsure where an issue belongs, report it to us and we will help route it.

The following are generally **out of scope**:

- Vulnerabilities that require a malicious or compromised SQL Server, network position, or operating system that the application already implicitly trusts.
- Reports from automated scanners without a demonstrated, exploitable impact on `node-mssql`.
- Insecure usage patterns in application code that arise from ignoring the documented, parameterised query APIs (e.g. building queries via unsanitised string concatenation when a safe API is available).

When in doubt, report it — we would rather review an out-of-scope report than miss a real issue.

## Recognition

We are grateful to everyone who helps keep `node-mssql` and its users safe. Unless you ask to remain anonymous, we will credit you in the published security advisory and release notes.
Loading