Merge branch 'develop' into hxia/sec-policy

1a1a11a · web-flow · commit 5ab587464482 · 2025-06-27T19:28:19.000-04:00
diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml
@@ -2,6 +2,9 @@ name: Code Quality
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   code-quality:
     name: Code Quality Checks
diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml
@@ -9,13 +9,18 @@ on:
     paths:
       - 'libCacheSim-node/**'
 
+permissions:
+  contents: read  # Default permission for reading repository contents
+
 env:
   BUILD_TYPE: Release
 
 jobs:
   create-release:
     if: github.event_name == 'release'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write  # Needed for creating GitHub releases
     outputs:
       release_created: ${{ steps.release.outputs.release_created }}
       version: ${{ steps.package.outputs.version }}
@@ -79,6 +84,8 @@ jobs:
     if: github.event_name == 'release'
     needs: create-release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write  # Needed for uploading prebuilt binaries to releases
 
     steps:
       - name: Checkout code
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -15,7 +15,9 @@ on:
     branches: [ "develop" ]
 
 # Declare default permissions as read only.
-permissions: read-all
+permissions:
+  contents: read
+  actions: read
 
 jobs:
   analysis:
diff --git a/requirements.txt b/requirements.txt
@@ -1,2 +1,3 @@
-numpy
-matplotlib
+# Core dependencies with security-patched versions
+numpy>=1.22.0  # CVE-2021-34141 fix (GHSA-fpfv-jqm9-f5jm)
+matplotlib>=3.3.0
