You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Rand McKinney edited this page Nov 7, 2017
·
3 revisions
Someone in engineering will take point on this. Be sure NOT to update documentation until AFTER the affected module has been updated and published to npm. This is very important, because otherwise the exploit will be publicized and users won't have any recourse to correct it.
Once npm is updated:
Get description of the advisory from engineering.
Create new page titled "Security advisory MM-DD-YYY" (fill in the date).
Format of page is standardized and should match existing advisories, e.g. Security advisory 09-21-2017. There should be headings for:
Description
Reported by
Versions affected
Solution
If you open a PR, make sure the appropriate people in eng. review it; or eng. may open the PR and you do a copy-edit review.