Skip to content

Commit 4c1983c

Browse files
scode2277artemisclaw82DicksonWu654mattaerealDicksonWu654
authored
Chore: monthly .org update (#552)
* content(opsec): endpoint security tiers and DPRK liveness verification (#400) * content(opsec): endpoint security tiers and DPRK liveness verification - Add endpoint security device provisioning tiers (managed, VDI, enterprise browser) - Add deepfake liveness verification techniques to DPRK TTP page - Add andrew-chang-gu to contributors.json (username TBD) Co-authored-by: DicksonWu654 <dickson@certik.com> Co-authored-by: andrew-chang-gu <> * chore: fill andrew-chang-gu contributor fields from public LinkedIn profile * Add contributor Andrew Chang-Gu to contributors.json Added new contributor Andrew Chang-Gu with details. --------- Co-authored-by: DicksonWu654 <dickson@certik.com> Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> * Add password manager endpoint hardening guide (#419) * Add password manager endpoint hardening guide * Tone down password manager hardening guide * Shorten password manager hardening guide * Make wallet secret storage guidance explicit * Remove decorative separators from password manager hardening guide * Fix lint in password manager endpoint guide * Tighten password manager endpoint guide * Shorten password manager endpoint guide * Clarify password manager endpoint guidance * Add password manager endpoint hardening guide * Tone down password manager hardening guide * Shorten password manager hardening guide * Make wallet secret storage guidance explicit * Remove decorative separators from password manager hardening guide * Fix lint in password manager endpoint guide * Tighten password manager endpoint guide * Shorten password manager endpoint guide * Clarify password manager endpoint guidance * Expand password manager hardening scope * Revert "Expand password manager hardening scope" This reverts commit 4bf04d63f70c7d9a93f3182e255c0f3cc3bca0d9. * docs: tighten password manager browser guidance --------- Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> * Add YubiKey and hardware security key guide (#416) * Add hardware security key guide * Credit Opsek authors on YubiKey guide * Remove decorative separators from hardware security keys guide * Fix lint in hardware security keys guide * Tighten hardware security keys guide * Move hardware security keys guide to endpoint security * Tighten hardware keys guide metadata * Update hardware-security-keys.mdx * Update hardware-security-keys.mdx * Add hardware security key guide * Credit Opsek authors on YubiKey guide * Remove decorative separators from hardware security keys guide * Fix lint in hardware security keys guide * Tighten hardware security keys guide * Move hardware security keys guide to endpoint security * Tighten hardware keys guide metadata * Add YubiKey-specific setup guidance * docs: tighten hardware key setup guidance * Delete AGENTS.md --------- Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> * Chore: add stewards for AI Security and Incident Management fws (#440) * Add stewards for Incident Management and AI Security fws * sync contributors company * Add SSH client and key management hardening guide (#420) * Add SSH client and key management hardening guide * Remove decorative separators from SSH hardening guide * Fix markdownlint spacing in SSH hardening guide * Tighten SSH hardening guide * Shorten SSH hardening guide * Clarify SSH hardening guidance * Introduce SSH certificates for better key management Added a section on using SSH certificates for improved access management. * Clarify SSH host verification guidance * Fix SSH guide markdown formatting * Finish SSH guide review fixes * Add SSH client and key management hardening guide * Remove decorative separators from SSH hardening guide * Fix markdownlint spacing in SSH hardening guide * Tighten SSH hardening guide * Shorten SSH hardening guide * Clarify SSH hardening guidance * Introduce SSH certificates for better key management Added a section on using SSH certificates for improved access management. * Clarify SSH host verification guidance * Fix SSH guide markdown formatting * Finish SSH guide review fixes * Trim unrelated SSH wordlist entries * Update wordlist.txt * Add reviewers to SSH client hardening guide --------- Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> * feat/github workflow to upload images to S3 bucket (#290) * add github workflow to autmatically upload images to S3 * implement review + deps revamp * Reorganize AWS credentials configuration in workflow * Add --ignore-scripts to install step for supply chain attack mitigation --------- Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> * Feature/opsec/mfa (#452) * Added MFA overview, and updated contributors file. * Build fix and language updates. * Refine MFA overview and recommendations Revised language for clarity and emphasis on MFA importance. Updated recommendations for MFA methods and highlighted security considerations for passkeys. * Further clarification about passkey storage. --------- Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> * docs: add CC BY-SA 4.0 licensing notice and metadata (#447) Co-authored-by: frameworks-volunteer <jamesbond777bot@duck.com> * Feedback integration certs (#459) * Port cert revisions and add SFC Identity & Accounts Mirrors the revisions applied in the SEAL-Certs-Template repo (see its CHANGELOG.md for full detail). Summary: - sfc-multisig-ops: ms-2.1.2 strengthened from "evaluate" to "implement"; ms-4.1.1 transaction process consolidated 8 to 5 bullets - sfc-treasury-ops: scope note added; per-actor/per-path exposure limits (tro-2.1.3) and privileged access / root account management (tro-3.1.5) added; trusted-parser bullet on tro-4.1.1; various consolidations and softening (session timeouts, impact thresholds, exposure limits) - sfc-devops-infrastructure: di-1.1.4 split into process + di-1.1.5 list; runner hardening on di-3.1.1; network architecture on di-4.1.1; supply chain mention softened; References section added - sfc-dns-registrar: dns-3.1.1 slimmed to reference the new Identity & Accounts cert for account management - sfc-incident-response: four IR controls consolidated (team roles, contacts, alerting, drills); header reference to Identity & Accounts - sfc-identity-accounts (NEW): horizontal cert covering organizational account management (inventory, phishing-resistant MFA, credential management, recovery methods, lifecycle, takeover monitoring, third- party access) Control IDs are stable; no renames. Baseline text changes do not affect workbook import (keyed on control ID). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Retire SFC Workspace Security; wire in Identity & Accounts The old Workspace Security cert drifted far from SEAL's SME (device management, EDR/MDM, physical/travel security, formal training programs). Its crypto-relevant content (account inventory, phishing-resistant MFA, credential management, account lifecycle, takeover monitoring) is now in the new horizontal Identity & Accounts cert. Generic enterprise IT coverage is better left to ISO 27001 / SOC 2 / CIS. - Delete docs/pages/certs/sfc-workspace-security.mdx - vocs.config.tsx: sidebar updated (add Identity & Accounts, remove Workspace Security) - utils/generate-cert-data.js: CERT_ORDER updated so the overview-page "Export All Certifications" xlsx includes I&A and excludes Workspace - utils/generate-printable-checklists.js: CERT_META updated so the Print button generates an I&A checklist and no longer generates one for Workspace - components/certified-protocols/CertifiedProtocols.tsx: certTypeToName map updated (sfc-ida replaces sfc-ws) - docs/pages/certs/overview.mdx: cert list updated - docs/pages/certs/index.mdx: cert list updated - docs/pages/intro/overview-of-each-framework.mdx: cert list updated The fetched-tags.json and cert-data.json artifacts regenerate at build time. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Surface control IDs in the control card UI Control IDs (e.g., ms-2.1.2) are already in the data model and used by workbook import/export and aria attributes, but were invisible in the rendered card. Surface them inline next to the title so readers and reviewers have a stable reference they can cite. - ControlCard.tsx: render {control.id} before the title with a muted separator - control.css: .control-id styled muted, monospace, 0.875em; .control-id-sep muted, non-bold No behavioral change; purely additive display. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Add per-cert version stamps and central changelog Protocols that have certified against an earlier version of a cert need to scope the delta when that cert is revised. Adds explicit versioning so re-certification decisions are data-driven. - Per-cert frontmatter fields: version (semver-ish) and revised (ISO date). Rendered inline near the H1 title: "Revision X.Y · Updated YYYY-MM-DD · Changelog". - New page: docs/pages/certs/changelog.mdx aggregating revision history across all certs with inaugural 2026-04-17 entry covering the feedback-integration-1.1 changes. - vocs.config.tsx: Changelog added to sidebar under SEAL Certifications. All five existing certs stamped at v1.1 (revised 2026-04-17). New Identity & Accounts cert stamped at v1.0. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Regenerate build artifacts - docs/pages/certs/index.mdx: generate-folder-indexes added Changelog row - utils/fetched-tags.json: tags-fetcher regenerated tag map (added /certs/changelog entry; workspace-security replaced by identity-accounts; sectionMappings sort order shuffled) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Add ir-2.1.1 threat model to Incident Response Monitoring coverage is only meaningful if it's pointed at the right things. The existing IR cert had team structure, contacts, monitoring, alerting, and playbooks, but no control requiring an explicit threat picture of protocol operations and external dependencies. This control closes that gap and anchors the monitoring and playbook controls to a known threat model. - Insert new ir-2.1.1 (Threat Model for Protocol Operations) at the start of Section 2 (Monitoring, Detection & Alerting) - Existing Section 2 controls shifted: old ir-2.1.1 to ir-2.1.2, ir-2.1.2 to ir-2.1.3, ir-2.1.3 to ir-2.1.4 - Evidence Tracker count 13 to 14 (template repo only) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Rewrite certs overview to align with program roadmap The previous overview was written during RFC Phase (ended Dec 31, 2025) and framed certifications as "proposed" and "being developed." The framework is now stable, published, and moving into active certification with accredited firms. Rewritten to: - Open with the same framing as the internal program-and-roadmap doc: code audits don't catch operational failures, certifications target that gap - List the six modules (with the new Identity & Accounts and Incident Response updated to include threat modeling) - Condense "How Certification Works" into a five-step engagement flow with EAS attestation - Replace the RFC Phase section with a plain Program Status summary of where the program is now - Trim outdated FAQ items (the "Q1 2026 rollout" question) and update wording throughout - Link to the new /certs/changelog page for revision history Shorter overall; aligned with the roadmap doc without duplicating its operational detail. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Add back protocol and auditor signup links to certs overview Previous rewrite dropped these along with the RFC Phase framing. Adding them back as a tight "Get Involved" section between Program Status and FAQ. Both entry points currently point at the same typeform (securityalliance.typeform.com/CertsAuditor), matching the original overview page. If protocols and auditors need distinct intake forms later, the URL can be updated. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Integrate PR feedback from template repo review Mirrors template-repo commits acddf5c, 2d3a777, 5ae8d0f which applied DicksonWu654's review feedback. Since v1.1 hasn't shipped yet, the changelog entry for v1.1 is updated to reflect final state rather than documenting an intra-PR iteration. - sfc-devops-infrastructure: di-1.1.2 drops the supply-chain parenthetical (Section 2 already handles supply chain); di-1.1.4 and di-1.1.5 merged back into a single di-1.1.4 covering both the tool approval process and the approved-tools list; References section at the bottom removed (other certs don't carry References, so the inconsistency wasn't earning its keep) - sfc-identity-accounts: ida-2.1.1 drops the "(subject to SIM-swap and interception)" parenthetical; ida-4.1.1 drops the inline "(coordinated with SFC - Incident Response monitoring)" parenthetical (the trailing IR coordination bullet still carries that point); "Related certs" list in the page body removed (cross-refs live inline in each vertical cert) - sfc-incident-response: ir-2.1.1 threat model gains a baseline bullet on identifying single points of failure and highly centralized components across onchain and offchain layers (cross-chain messaging providers, oracle providers, critical infrastructure dependencies) - changelog.mdx: v1.1 entry updated to reflect final merged state; DevOps control count is now unchanged at 16, workbook compat note flags the shifted IR Section 2 IDs Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Fix protocol signup typeform URL to CertsWaitlist Both the protocol and auditor signup links in the certs overview were pointing at the same auditor form (CertsAuditor). Protocols should land on the waitlist form (CertsWaitlist) instead. Per PR #459 review comment from DicksonWu654. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Refreshing stewardship page (#460) * Add footer component to add the license in all the pages (#458) * making the contributors display more compact to favor UX + sync domains alphabetical order in fetched tags (#441) * Add Attack Surface Overview page (#435) * Add Attack Surface Overview page with interactive radial threat map Visual security posture dashboard showing 12 attack vectors as a radial diagram. Nodes are color-coded (red/amber/green) by posture state with click-to-toggle and localStorage persistence. Clicking a node opens a detail card with description, attack tags, and framework guide links. Designed for CSOs to quickly assess and communicate security gaps. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Mark Attack Surface Overview as dev content Adds dev: true flag to sidebar entry per contributing guidelines. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Replace selection ring with scale + glow effect on selected nodes Selected nodes now scale up 10% and show a soft color-matched glow instead of a detached ring outline. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add GitHub Actions reminder for attack surface threat data changes Posts an automated PR comment when threatData.ts is modified, reminding contributors to include all required fields and verify framework links. Follows the same pattern as the existing vocs-config-reminder workflow. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Address Sara first PR feedback item Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Address Sara second PR feedback item Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Smooth-scroll detail card into view when a threat node is clicked Clicking a node on the radial map showed the detail card below the map, but on typical viewports the card landed below the fold, so it wasn't obvious anything had happened. Use scrollIntoView with block: "nearest" on the card when it mounts or the selected vector changes, respecting prefers-reduced-motion. Third PR feedback item addressed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Move attack-surface.mdx into intro/ folder and update links Moved the page to sit alongside the other Introduction pages. Updated sidebar link, internal cross-link in how-to-navigate, and component import path to match the new location. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Use react-router Link for framework CTA to avoid full page reload The detail card's framework link used a plain <a> tag which caused a full page reload. Switched to react-router-dom's <Link> for client-side navigation, consistent with the rest of the site. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add standard page components to Attack Surface Overview Adds TagProvider, TagFilter, TagList, and ContributeFooter to match the pattern used by all other Introduction pages. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * content: clarify phishing awareness guidance on account claims and channel scope (#445) Clarify that profile labels and platform status indicators are not proof of legitimacy, and state that unsupported platforms should be explicitly identified. * bump dependencies after security alerts (#453) * Add TxScope — Solana multisig pre-signing threat scanner (#444) Adds TxScope to monitoring tools and wallet security tools pages. TxScope is a Solana-native pre-signing transaction threat scanner for Squads Protocol multisigs, filling the non-EVM tooling gap noted in the current tools page. Co-authored-by: black <bob@bobby.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * [codex] Clarify hot vs cold wallet taxonomy (#449) * Clarify hot vs cold wallet taxonomy * Narrow hot vs cold wallet edits --------- Co-authored-by: welttowelt <welttowelt@users.noreply.github.com> * Frontend Web app FW: Add third party script security page (#454) * Add third party script security page in the frontend web app fw * fix Further Reading link * Fix links in web3-supply-chain-threats.mdx * Chore: weekly repo cleanup (#455) * weekly cleanup: - sync badges - fix outputs spellchecker - fix outputs linter - sync contributing files - sync tags * Cleanup of the latest PR merged * sync contributor badges with latest PRs * Fix indentation * feat: add forensic readiness page (#457) * feat: add forensic readiness page (closes #433) * fix: add forensic readiness to sidebar in vocs.config.tsx (refs #457) * chore(deps): bump the npm_and_yarn group across 1 directory with 2 updates (#425) Bumps the npm_and_yarn group with 2 updates in the / directory: [dompurify](https://github.com/cure53/DOMPurify) and [flatted](https://github.com/WebReflection/flatted). Updates `dompurify` from 3.3.0 to 3.3.3 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](https://github.com/cure53/DOMPurify/compare/3.3.0...3.3.3) Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](https://github.com/WebReflection/flatted/compare/v3.3.3...v3.4.2) --- updated-dependencies: - dependency-name: dompurify dependency-version: 3.3.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> * fix: expand DevSecOps incomplete categories (closes #439) (#461) - code-signing.mdx: Add GPG key generation, subkeys, YubiKey setup, passphrase management, key backup/recovery - continuous-integration-continuous-deployment.mdx: Add SLSA provenance, SBOM generation, OIDC federation for cloud access - repository-hardening.mdx: Add CODEOWNERS patterns, GitHub Advanced Security (CodeQL, secret scanning, dependency review), security policy template - security-testing.mdx: Add severity thresholds table, Semgrep custom rules, false positive management, coverage and mutation testing * fix: remediate PR #461 attribution and review findings (#462) - Update contributors frontmatter: mattaereal as author, scode2277 as reviewer - Replace discontinued keys.mailvelope.com with keyserver.ubuntu.com - Fix CISA link text to match URL (Software Bill of Materials) - Update expired nosemgrep example date to 2027-06-01 - Add note about simplified Semgrep rule example * fix: include hidden files in preview build artifact (closes #469) (#471) The search index lives in docs/dist/.vocs/ (a hidden directory). actions/upload-artifact@v4 excludes hidden files by default, so the .vocs directory was missing from the uploaded artifact. This caused the search index to be absent from preview deployments, breaking the native search (/) on all preview URLs. Adding include-hidden-files: true ensures the .vocs directory (and any other hidden assets) are included in the artifact. * Chore: LLMs generator (#463) * feat: add llms.txt generator + llms-{framework}.txt for all the frameworks we have + changed titles to 2 pages as previously confusing * Add branch-aware links + better hadle of contributing folder * fix: making the generator inherit dev:true from parent sidebar blocks * refactor: restructure llms output with per-page files, folder layout, and tighter routing index * fix: make branch check stronger * fix: add Web3-specific standards (AADAPT, SCWE, EthTrust, SC Top 10) to Integration (closes #176) (#475) * fix: expand VPN services page with HTTPS vs VPN, metadata, threat models (#473) * fix: expand VPN services page with HTTPS vs VPN, metadata, threat models (closes #406) * Update docs/pages/privacy/vpn-services.mdx Co-authored-by: Sara Russo <sararusso984@gmail.com> * refactor: split VPN services into subcategory pages per review feedback Restructure vpn-services.mdx into a vpns/ directory with sub-pages: - overview.mdx: entrance page with intro and links to subsections - https-vs-vpn.mdx: HTTPS vs VPN comparison and metadata gap - attack-surfaces-public-networks.mdx: public Wi-Fi risks - when-to-use-vpn.mdx: threat model decision framework + choosing a VPN - vpn-limitations.mdx: VPN limitations and DNS leaks - vpn-providers-and-tools.mdx: recommended providers, tools, and resources Update vocs.config.tsx with nested sidebar structure for VPN Services. All new pages include outline: deep for subsection navigation. --------- Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> Co-authored-by: Sara Russo <sararusso984@gmail.com> * chore(deps): bump the npm_and_yarn group across 1 directory with 4 updates (#464) Bumps the npm_and_yarn group with 3 updates in the / directory: [axios](https://github.com/axios/axios), [dompurify](https://github.com/cure53/DOMPurify) and [hono](https://github.com/honojs/hono). Updates `axios` from 1.14.0 to 1.15.0 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](https://github.com/axios/axios/compare/v1.14.0...v1.15.0) Updates `dompurify` from 3.3.3 to 3.4.1 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](https://github.com/cure53/DOMPurify/compare/3.3.3...3.4.1) Updates `follow-redirects` from 1.15.11 to 1.16.0 - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](https://github.com/follow-redirects/follow-redirects/compare/v1.15.11...v1.16.0) Updates `hono` from 4.12.12 to 4.12.14 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](https://github.com/honojs/hono/compare/v4.12.12...v4.12.14) --- updated-dependencies: - dependency-name: axios dependency-version: 1.15.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: dompurify dependency-version: 3.4.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: follow-redirects dependency-version: 1.16.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.14 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Weekly repo cleanup: (#465) sync badges sync indexes sync tags fix spellchecker outputs fix linter outputs Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> * feat(devsecops): Governance Proposal Security Across the SDLC (#467) Extract §4 (Upgrade Governance) out of data-security-upgrade-checklist into a standalone DevSecOps page focused on smart-contract upgrade governance across the full proposal lifecycle. Add an interactive hero graphic mapping threats onto a 4-stage SDLC, replace raw-markdown checklists with a stateful ChecklistItem component, and extend the content with material that consistently fails in practice but rarely appears on upgrade checklists: invariant suites that run against live mainnet state, and reproducible onchain calldata verified by CI. Page: /devsecops/governance-proposal-security Stages: Plan -> Build and Test -> Review & Audit -> Propose, Verify Onchain Calldata & Monitor New components: - <GovernanceSDLCPipeline /> - SVG pipeline with threat constellations, click-to-expand detail panel, keyboard nav, loop-back "feeds next cycle" arrow. Reuses categoryMeta from attack-surface for visual consistency. Stateless. - <ChecklistItem title="..."> ... </ChecklistItem> - interactive labelled checkbox with localStorage-persisted state and aria-describedby. Replaces every raw markdown "- [ ]" item on the new page. Migrations: - docs/pages/devsecops/data-security-upgrade-checklist.mdx - section 4 removed; page renamed to "Data Security Checklist" (URL preserved). - docs/pages/devsecops/overview.mdx - dropped duplicate "What's inside DevSecOps" section; Contents list is the single entry point (8 entries including the new page and Isolation & Sandboxing). - vocs.config.tsx - sidebar entry added and old Data Security entry renamed. - components/index.ts - exports the two new components. Notable content: - Stage 2: tests must exercise the actual deployment script, and fork-tests must execute the proposal's calldata at HEAD before running the integration + invariant suite. - Stage 3: internal peer review of the proposal by a non-author reviewer; audit scope extends to deploy scripts and proposal payloads. - Stage 4: reproducible calldata built locally + rebuilt in CI, compared byte-for-byte against what's onchain. - Real-World Proposal Failures: Wormhole (Feb 2022), Nomad (Aug 2022), Compound cETH Proposal 117 (Aug 2022), Yearn Finance yUSDT (Apr 2023) - each framed around a specific SDLC failure mode. Contributors: - wrote: quillaudits, dickson, ElliotFriedman - fact-checked: mattaereal Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> * chore(deps): bump the npm_and_yarn group across 1 directory with 3 updates (#477) Bumps the npm_and_yarn group with 3 updates in the / directory: [axios](https://github.com/axios/axios), [uuid](https://github.com/uuidjs/uuid) and [postcss](https://github.com/postcss/postcss). Updates `axios` from 1.15.0 to 1.15.2 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](https://github.com/axios/axios/compare/v1.15.0...v1.15.2) Updates `uuid` from 13.0.0 to 14.0.0 - [Release notes](https://github.com/uuidjs/uuid/releases) - [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md) - [Commits](https://github.com/uuidjs/uuid/compare/v13.0.0...v14.0.0) Updates `postcss` from 8.5.6 to 8.5.14 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/postcss/compare/8.5.6...8.5.14) --- updated-dependencies: - dependency-name: axios dependency-version: 1.15.2 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: uuid dependency-version: 14.0.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: postcss dependency-version: 8.5.14 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(opsec): add early-stage standards section with CCSS, remove unlinkable cross-chain placeholder (#480) * docs(devsecops): expand IDE extension verification guidance (#466) Item 1 of the IDE hardening list previously said "trusted sources" without defining what verification looks like. Expand it into a short multi-channel check (publisher match, source-repo cross-reference, install counts / verified-publisher badges / signed releases) and add a one-line threat-model hook explaining why extensions are a high-yield target. Also adds a contributors frontmatter acknowledging historical authors (mattaereal, fredriksvantes) alongside the new contribution. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix: normalize ContributeFooter route before GitHub link (#446) * fix: normalize footer contribute path for trailing slash routes * refactor: simplify contribute path normalization * docs(agents): align AGENTS.md with docs/CONTRIBUTING conventions (#470) * AGENTS.md initial commit. * Updates for consistency * Update AGENTS.md Co-authored-by: Sara Russo <sararusso984@gmail.com> * Update AGENTS.md Co-authored-by: Sara Russo <sararusso984@gmail.com> * Update AGENTS.md Co-authored-by: Sara Russo <sararusso984@gmail.com> * Update AGENTS.md Co-authored-by: Sara Russo <sararusso984@gmail.com> * Update AGENTS.md regarding contributors Co-authored-by: Sara Russo <sararusso984@gmail.com> --------- Co-authored-by: Sara Russo <sararusso984@gmail.com> * weekly repo cleanup: (#482) - fixed linter outputs - fixed spellchecker outputs - synced badges - synced tags - synced indexes * fix(security): address all dependabot security advisories (#483) Apply pnpm overrides to bump vulnerable transitive dependencies: - lodash-es >=4.18.1 (GHSA-xxjr-mmjv-4gpg, GHSA-r5fr-rjxr-66jc, GHSA-f23m-r3pf-42rh) - yaml >=2.8.4 (GHSA-48c2-rrv3-qjmp) - fast-xml-parser >=5.7.0 (GHSA-gh4j-gqv2-49f6) - hono >=4.12.18 (GHSA-9vqf-7f2p-gf9v, GHSA-69xw-7hcm-h432) pnpm audit returns clean after lockfile regenerate. * ci: bump GitHub Actions to Node.js 24 runtime (#484) Upgrade all workflow actions from node20 to node24 runtimes to resolve deprecation warnings. actions/checkout v4.3.1 -> v6.0.2 actions/setup-node v4.4.0 -> v6.4.0 actions/upload-artifact v4.6.2 -> v7.0.1 actions/download-artifact v4.3.0 -> v8.0.1 pnpm/action-setup v4.2.0 -> v6.0.5 actions/github-script v7.1.0 -> v9.0.0 actions/cache v4.2.3 -> v5.0.5 aws-actions/configure-aws-credentials v4.1.0 -> v6.1.1 DavidAnson/markdownlint-cli2-action v20 -> v23.2.0 AdrianGonz97/refined-cf-pages-action v1.3.0 has no node24 release yet; left as-is pending upstream update. * chore(deps): configure Dependabot for npm and GitHub Actions (#488) Enable Dependabot version updates with a weekly schedule (Mondays 09:00 UTC) targeting the develop branch. Updates are grouped into single PRs: - npm: grouped minor + patch updates /week - GitHub Actions: grouped updates /week Separate major version updates will be raised individually. * fix: expand network-security primer (closes #55) (#479) * fix: expand network-security primer for issue #55 (closes #55) * Fix link to VPN Services in network security docs --------- Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> * Chore: standardized frameworks and pages structure (#487) * chore: refresh template and contributing guide * sync the contributing files * fix: add end of file newline * chore(ci): add release-please configuration (#489) * chore(ci): add release-please configuration for automated releases on develop * chore(ci): scope release-please to docs/pages, use simple release type Changes release-please configuration to focus the changelog on MDX content updates (security frameworks) rather than technical setup or version bumps: - Switch release-type from "node" to "simple" (no package.json mutation) - Scope package path to "docs/pages" so only content changes appear in changelogs and trigger releases - Add component label "Security Frameworks" for clearer headings - Update manifest path accordingly * chore(ci): add release-please workflow Adds the GitHub Actions workflow that runs release-please on every push to develop. Uses manifest mode with the config and manifest files already present in this PR. Flow: conventional commit lands on develop -> workflow fires -> release-please checks if docs/pages/ changed -> creates/updates release PR with scoped changelog -> maintainer merges -> release tagged. * chore(ci): retarget release-please to main branch Releases will track main, not develop: - .github/release-please.yml: primaryBranch -> main - .github/workflows/release-please.yml: trigger branch -> main, target-branch -> main - Added explicit config-file and manifest-file paths to the workflow * chore(ci): fix release-please target branch to develop Both .github/workflows/release-please.yml and .github/release-please.yml were targeting main instead of develop. The PR and all content changes target the develop branch, so release-please must also target develop. * fix(ci): release-please targets main for releases, PR targets develop The branching model is: changes go to develop via PRs, develop merges to main, release-please triggers on main pushes to cut releases. - .github/release-please.yml: primaryBranch changed to main - .github/workflows/release-please.yml: trigger on push to main, target-branch set to main * fix(ci): target-branch and primaryBranch to develop Release PRs are created on develop, not main. Changes flow: develop -> release PR on develop -> merge to main -> release tagged. Closes #488 * fix(ci): release-please targets main and uses .github/release-please/ folder (#494) * Chore: weekly repo cleanup (#497) * weekly repo cleanup: - fixed linter outputs - fixed spellchecker outputs - synced badges - synced tags - synced indexes * weekly repo cleanup: - fixed mdxTextExpression build warnings - fixed broken SEAL CoC link - fixed mermaid dark mode visibility - simplified post-build scripts console logs - added guidance for too long files to contribution docs - cleaned up numbered heading in awareness fw - fixed linter outputs - fixed spellchecker outputs - synced badges - synced tags - synced indexes * add 'target="_blank"' to CoC link * fix: remove add 'target="_blank"' to CoC link * chore(deps): bump the npm_and_yarn group across 1 directory with 11 updates (#491) Bumps the npm_and_yarn group with 11 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@aws-sdk/client-s3](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-s3) | `3.1024.0` | `3.1048.0` | | [@aws-sdk/lib-storage](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/lib/lib-storage) | `3.1024.0` | `3.1048.0` | | [axios](https://github.com/axios/axios) | `1.15.2` | `1.16.1` | | [mermaid](https://github.com/mermaid-js/mermaid) | `11.12.2` | `11.15.0` | | [playwright](https://github.com/microsoft/playwright) | `1.57.0` | `1.60.0` | | [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.2.1` | `19.2.6` | | [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) | `19.2.7` | `19.2.14` | | [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.2.1` | `19.2.6` | | [react-router-dom](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom) | `7.12.0` | `7.15.1` | | [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.0.7` | `4.3.0` | | [vocs](https://github.com/wevm/vocs) | `1.2.2` | `1.4.1` | Updates `@aws-sdk/client-s3` from 3.1024.0 to 3.1048.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-s3/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1048.0/clients/client-s3) Updates `@aws-sdk/lib-storage` from 3.1024.0 to 3.1048.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/lib/lib-storage/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1048.0/lib/lib-storage) Updates `axios` from 1.15.2 to 1.16.1 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](https://github.com/axios/axios/compare/v1.15.2...v1.16.1) Updates `mermaid` from 11.12.2 to 11.15.0 - [Release notes](https://github.com/mermaid-js/mermaid/releases) - [Commits](https://github.com/mermaid-js/mermaid/compare/mermaid@11.12.2...mermaid@11.15.0) Updates `playwright` from 1.57.0 to 1.60.0 - [Release notes](https://github.com/microsoft/playwright/releases) - [Commits](https://github.com/microsoft/playwright/compare/v1.57.0...v1.60.0) Updates `react` from 19.2.1 to 19.2.6 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.6/packages/react) Updates `@types/react` from 19.2.7 to 19.2.14 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) Updates `react-dom` from 19.2.1 to 19.2.6 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.6/packages/react-dom) Updates `react-router-dom` from 7.12.0 to 7.15.1 - [Release notes](https://github.com/remix-run/react-router/releases) - [Changelog](https://github.com/remix-run/react-router/blob/main/packages/react-router-dom/CHANGELOG.md) - [Commits](https://github.com/remix-run/react-router/commits/react-router-dom@7.15.1/packages/react-router-dom) Updates `@types/react` from 19.2.7 to 19.2.14 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) Updates `tailwindcss` from 4.0.7 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/packages/tailwindcss) Updates `vocs` from 1.2.2 to 1.4.1 - [Release notes](https://github.com/wevm/vocs/releases) - [Commits](https://github.com/wevm/vocs/compare/vocs@1.2.2...vocs@1.4.1) --- updated-dependencies: - dependency-name: "@aws-sdk/client-s3" dependency-version: 3.1045.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm_and_yarn - dependency-name: "@aws-sdk/lib-storage" dependency-version: 3.1045.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm_and_yarn - dependency-name: "@types/react" dependency-version: 19.2.14 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm_and_yarn - dependency-name: "@types/react" dependency-version: 19.2.14 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm_and_yarn - dependency-name: axios dependency-version: 1.16.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm_and_yarn - dependency-name: mermaid dependency-version: 11.15.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm_and_yarn - dependency-name: playwright dependency-version: 1.59.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm_and_yarn - dependency-name: react dependency-version: 19.2.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm_and_yarn - dependency-name: react-dom dependency-version: 19.2.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm_and_yarn - dependency-name: react-router-dom dependency-version: 7.15.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm_and_yarn - dependency-name: tailwindcss dependency-version: 4.3.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm_and_yarn - dependency-name: vocs dependency-version: 1.4.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump minisearch from 6.3.0 to 7.2.0 (#493) Bumps [minisearch](https://github.com/lucaong/minisearch) from 6.3.0 to 7.2.0. - [Changelog](https://github.com/lucaong/minisearch/blob/master/CHANGELOG.md) - [Commits](https://github.com/lucaong/minisearch/compare/v6.3.0...v7.2.0) --- updated-dependencies: - dependency-name: minisearch dependency-version: 7.2.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(gha): bump pnpm/action-setup in /.github/workflows (#499) Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 6.0.5 to 6.0.8. - [Release notes](https://github.com/pnpm/action-setup/releases) - [Commits](https://github.com/pnpm/action-setup/compare/8912a9102ac27614460f54aedde9e1e7f9aec20d...0e279bb959325dab635dd2c09392533439d90093) --- updated-dependencies: - dependency-name: pnpm/action-setup dependency-version: 6.0.8 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump the npm_and_yarn group with 3 updates (#502) Bumps the npm_and_yarn group with 3 updates: [@aws-sdk/client-s3](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-s3), [@aws-sdk/lib-storage](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/lib/lib-storage) and [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react). Updates `@aws-sdk/client-s3` from 3.1048.0 to 3.1053.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-s3/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1053.0/clients/client-s3) Updates `@aws-sdk/lib-storage` from 3.1048.0 to 3.1053.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/lib/lib-storage/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1053.0/lib/lib-storage) Updates `@types/react` from 19.2.14 to 19.2.15 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) --- updated-dependencies: - dependency-name: "@aws-sdk/client-s3" dependency-version: 3.1053.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm_and_yarn - dependency-name: "@aws-sdk/lib-storage" dependency-version: 3.1053.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm_and_yarn - dependency-name: "@types/react" dependency-version: 19.2.15 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * add SKILL.md retrieval policy for AI agents (#496) * Added a password section to the opsec framework (#468) * Updated password section to add guidelines for password usage, SSO, root accounts, and password managers. * Fixes to password spelling. Added new files. * Fix typo in 'collapsed' property * Fixed typos and trailing newlines in PR. * Further edits after PR review. * Added back overview. * Update docs/pages/opsec/passwords/sso.mdx Co-authored-by: Sara Russo <sararusso984@gmail.com> * Update docs/pages/opsec/overview.mdx Co-authored-by: Sara Russo <sararusso984@gmail.com> * Update docs/pages/opsec/passwords/managers.mdx Co-authored-by: Sara Russo <sararusso984@gmail.com> * Update docs/pages/opsec/passwords/rootaccounts.mdx Co-authored-by: Sara Russo <sararusso984@gmail.com> * Update docs/pages/opsec/passwords/sso.mdx Co-authored-by: Sara Russo <sararusso984@gmail.com> * Update password section link text in config --------- Co-authored-by: Seth Hallem <seth@certora.com> Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> Co-authored-by: Sara Russo <sararusso984@gmail.com> * Strengthen multisig guidance: timelocks, separation, address discipline, and key takeaways (#448) * Rev multisig guidance with new attacks, concerns. add a key takeways page for quick reference and linking * wip feedback integration * Address PR review feedback: calldata red flags, supply-chain/insider verification, EVM caveat Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Add ElliotFriedman to reviewers list * Add reviewer ElliotFriedman to key takeaways * Add ElliotFriedman as reviewer for requirements document * Add ElliotFriedman as reviewer for multisig verification --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> * Devsecops/developer machine sandboxing (#481) * Add Attack Surface Overview page with interactive radial threat map Visual security posture dashboard showing 12 attack vectors as a radial diagram. Nodes are color-coded (red/amber/green) by posture state with click-to-toggle and localStorage persistence. Clicking a node opens a detail card with description, attack tags, and framework guide links. Designed for CSOs to quickly assess and communicate security gaps. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Mark Attack Surface Overview as dev content Adds dev: true flag to sidebar entry per contributing guidelines. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Replace selection ring with scale + glow effect on selected nodes Selected nodes now scale up 10% and show a soft color-matched glow instead of a detached ring outline. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add GitHub Actions reminder for attack surface threat data changes Posts an automated PR comment when threatData.ts is modified, reminding contributors to include all required fields and verify framework links. Follows the same pattern as the existing vocs-config-reminder workflow. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Address Sara first PR feedback item Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Address Sara second PR feedback item Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Smooth-scroll detail card into view when a threat node is clicked Clicking a node on the radial map showed the detail card below the map, but on typical viewports the card landed below the fold, so it wasn't obvious anything had happened. Use scrollIntoView with block: "nearest" on the card when it mounts or the selected vector changes, respecting prefers-reduced-motion. Third PR feedback item addressed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Move attack-surface.mdx into intro/ folder and update links Moved the page to sit alongside the other Introduction pages. Updated sidebar link, internal cross-link in how-to-navigate, and component import path to match the new location. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Use react-router Link for framework CTA to avoid full page reload The detail card's framework link used a plain <a> tag which caused a full page reload. Switched to react-router-dom's <Link> for client-side navigation, consistent with the rest of the site. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add standard page components to Attack Surface Overview Adds TagProvider, TagFilter, TagList, and ContributeFooter to match the pattern used by all other Introduction pages. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * developer machine sandboxing Signed-off-by: Elliot <elliotfriedman3@gmail.com> * add dev machine sandboxing to vocs config Signed-off-by: Elliot <elliotfriedman3@gmail.com> * add dev machine sandboxing to section index * add dev machine sandobxing to fetched tags Signed-off-by: Elliot <elliotfriedman3@gmail.com> * update built files Signed-off-by: Elliot <elliotfriedman3@gmail.com> * address pr feedback Signed-off-by: Elliot <elliotfriedman3@gmail.com> * Add link to Developer Machine Sandboxing * add opencode section * remote extension trust model * update wordlist to include tob, unsandboxed, exfiltrates and Daytona * Rename and update developer machine sandboxing content Primarily re-word isolation for confinement or sandboxing when applies * Missing closing tag provider --------- Signed-off-by: Elliot <elliotfriedman3@gmail.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> * feat: Add Checklist component to make our checklists clickable (#498) * Add Checklist component to make our checklists clickable * Add checklist guidance to contributing guidelines * fix build error by removing block comment * Update contributors.json (#508) * certs: rework Certified Partners into Auditor Accreditation page (#520) Replace the expired RFC/RFQ status with the current accreditation process: an intro call, a supervised first engagement, no upfront fee and no revenue share (a single accreditation fee on successful completion of the first certification), and a note that firms don't share confidential client data with SEAL. Adds an auditor-facing FAQ. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Update supply-chain-rpc-security.mdx (#517) * Update supply-chain-rpc-security.mdx * Update docs/pages/supply-chain/web3-supply-chain-threats.mdx Co-authored-by: Sara Russo <sararusso984@gmail.com> * Name correction: Layer Zero -> LayerZero * Update web3-supply-chain-threats.mdx --------- Co-authored-by: Sara Russo <sararusso984@gmail.com> Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> * fix(security): add overrides for uuid and tmp advisories (#504) - uuid >=11.1.1 (GHSA-w5hq-g745-h8pq): exceljs>uuid transitive dep - tmp >=0.2.6 (GHSA-ph9p-34f9-6g65): exceljs>tmp path traversal These are the only 2 open advisories on develop as of 2026-05-27. * chore: use pinned cspell version in spell-check workflow (#505) - Replace `npx cspell` with `pnpm exec cspell` in workflow and justfile - Add `actions/setup-node` (Node 22) and pnpm setup steps - Pin new actions by SHA with version comments * chore(gha): bump aws-actions/configure-aws-credentials (#509) Bumps [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) from 6.1.1 to 6.2.0. - [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases) - [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws-actions/configure-aws-credentials/compare/d979d5b3a71173a29b74b5b88418bfda9437d885...e7f100cf4c008499ea8adda475de1042d6975c7b) --- updated-dependencies: - dependency-name: aws-actions/configure-aws-credentials dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump cspell from 9.8.0 to 10.0.1 (#511) Bumps [cspell](https://github.com/streetsidesoftware/cspell/tree/HEAD/packages/cspell) from 9.8.0 to 10.0.1. - [Release notes](https://github.com/streetsidesoftware/cspell/releases) - [Changelog](https://github.com/streetsidesoftware/cspell/blob/main/packages/cspell/CHANGELOG.md) - [Commits](https://github.com/streetsidesoftware/cspell/commits/v10.0.1/packages/cspell) --- updated-dependencies: - dependency-name: cspell dependency-version: 10.0.1 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: improve dependabot configuration (#506) * chore: improve dependabot configuration * Minor updates to v2 of dependabot configuration * Simplify cooldown settings in dependabot.yml Removed specific cooldown settings for semver updates. --------- Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> * chore(gha): bump actions/checkout in /.github/workflows (#515) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 6.0.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4.2.2...df4cb1c069e1874edd31b4311f1884172cec0e10) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump the pnpm-patch group with 4 updates (#527) Bumps the pnpm-patch group with 4 updates: [react](https://github.com/facebook/react/tree/HEAD/packages/react), [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react), [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) and [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss). Updates `react` from 19.2.6 to 19.2.7 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react) Updates `@types/react` from 19.2.15 to 19.2.17 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) Updates `react-dom` from 19.2.6 to 19.2.7 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react-dom) Updates `@types/react` from 19.2.15 to 19.2.17 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) Updates `tailwindcss` from 4.3.0 to 4.3.1 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/tailwindcss) --- updated-dependencies: - dependency-name: react dependency-version: 19.2.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: pnpm-patch - dependency-name: "@types/react" dependency-version: 19.2.17 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: pnpm-patch - dependency-name: react-dom dependency-version: 19.2.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: pnpm-patch - dependency-name: "@types/react" dependency-version: 19.2.17 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: pnpm-patch - dependency-name: tailwindcss dependency-version: 4.3.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: pnpm-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * certs: expand the contributions guide (#521) * certs: expand the contributions guide Make explicit that the frameworks repo is the source of truth for controls, that categories are fixed while new controls can be added, and that final decisions rest with the certs initiative lead. Document the lightweight release process: stable control IDs, batched named releases (seal-species theme) tracked in the changelog. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Enhance contributions section with contact details Added contact information for contributions and clarified feedback request. --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> * chore(deps): bump the pnpm-minor group across 1 directory with 4 updates (#528) Bumps the pnpm-minor group with 4 updates in the / directory: [@aws-sdk/client-s3](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-s3), [@aws-sdk/lib-storage](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/lib/lib-storage), [axios](https://github.com/axios/axios) and [react-router-dom](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom). Updates `@aws-sdk/client-s3` from 3.1053.0 to 3.1063.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-s3/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1063.0/clients/client-s3) Updates `@aws-sdk/lib-storage` from 3.1053.0 to 3.1063.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/lib/lib-storage/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1063.0/lib/lib-storage) Updates `axios` from 1.16.1 to 1.17.0 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](https://github.com/axios/axios/compare/v1.16.1...v1.17.0) Updates `react-router-dom` from 7.15.1 to 7.17.0 - [Release notes](https://github.com/remix-run/react-router/releases) - [Changelog](https://github.com/remix-run/react-router/blob/react-router-dom@7.17.0/packages/react-router-dom/CHANGELOG.md) - [Commits](https://github.com/remix-run/react-router/commits/react-router-dom@7.17.0/packages/react-router-dom) --- updated-dependencies: - dependency-name: "@aws-sdk/client-s3" dependency-version: 3.1063.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: pnpm-minor - dependency-name: "@aws-sdk/lib-storage" dependency-version: 3.1063.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: pnpm-minor - dependency-name: axios dependency-version: 1.17.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: pnpm-minor - dependency-name: react-router-dom dependency-version: 7.17.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: pnpm-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Chore: vocs v2 migration (#519) * chore: Pre-migration changes - move certified-protocols under cert/ + remove dead code - Relocated components/certified-protocols/ to components/cert/certified-protocols/ since the component is cert-family and css - Deleted the unused withTagFiltering HOC (tsx + css). * chore: switch package to ESM Vocs 2.0 / Waku require the package to be ESM. Without "type": "module", Waku's static generation crashes - Add "type": "module" to package.json. - Rename the CommonJS build scripts to .cjs (they use require/module.exports) - Remove the mermaid-wrapper script invocation from docs:dev/docs:build and its script entry; native mermaid support lands in a later commit. * chore: bump vocs to 2.0.10 + add waku - Bump vocs 1.4.1 -> 2.0.10 (devDependency). - Add waku 1.0.0-beta.1. vocs 2.0 declares waku as an optional peer, so pnpm does not install it, but vocs imports it unconditionally and crashes without it * feat: vocs 2.0 config + routing - vocs 2.0 only discovers vocs.config.{ts,js,mjs,mts}; a .tsx config is silently ignored. - Drop the vite.define __IS_MAIN_BRANCH__ block - Add docs/pages/_layout.tsx (global layout, wraps every page in TagProvider) - _slots.tsx (Footer + SidebarHeader slots) - new _root.css for global styles - Waku forbids a file and folder sharing a path, so had to move the four control-domains landing pages X.mdx -> X/overview.mdx * refactor: remove per-page tag filter wrappers The tag filter and its context are now set up once globally (in the page layout and sidebar slot), so every page no longer needs to wrap itself in <TagProvider>/<TagFilter />. This updates ~299 pages to drop those wrappers while keeping the tag list, attribution, and contribute footer. The page template is updated to match. * fix: make components work as React Server Components for vocs v2 vocs 2.0 renders pages as server components by default, so anything using hooks, context, event handlers, or browser APIs needs a "use client" marker, and a few components needed other adjustments to render correctly. * feat: write generated assets to the root public/ folder vocs 2.0 serves static files from the root public/ directory, not docs/public/, so anything fetched at /foo must live there. This fixes the certs Export and the Print button. - Update .gitignore for the new printable path, and ignore Waku's generated docs/pages.gen.ts route types. * feat: render mermaid diagrams natively vocs 2.0 renders mermaid code blocks natively, so the old workaround is gone. vocs 1.x couldn't parse them, so there was a custom MermaidRenderer component plus a build step that rewrote raw blocks into <MermaidRenderer>. * fix: tag filter for vocs 2.0 Rework the sidebar tag filter for vocs 2.0's DOM and slot system. - Remap the sidebar control logic to vocs 2.0's data attributes - Move the filter into the SidebarHeader slot: drop the old fixed positioning - Fix section mapping in tags-fetcher: key each section on the folder that directly contains its pages * build: sync pnpm-lock.yaml with the vocs 2.0 bump * style: vocs 2.0 theming, footer, and CI fixups Theming: - Replace .dark / :root:not(.dark) and @media (prefers-color-scheme) with [data-vocs-theme]-driven selectors across the component stylesheets - Delete the now-unused docs/footer.tsx. - Attack-surface and governance: define their theme tokens locally on their root elements instead of borrowing from cert's control.css CI / workflows: - preview-build.yml: upload dist/public instead of docs/dist - vocs-config-reminder.yml: reference vocs.config.ts instead of vocs.config.tsx. * chore: fix logo positioning and banner cursive style * chore: fix postbuild output dirs, remove processing searchbar and just-install to separate PRs * Fix: component name * fix: align react and react-dom at 19.2.7 + make Checklist componen…
1 parent f22886b commit 4c1983c

414 files changed

Lines changed: 10309 additions & 8625 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/PULL_REQUEST_TEMPLATE.md

Lines changed: 20 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,23 @@
1-
## Frameworks PR Checklist
1+
<!--
2+
Thanks for contributing! New here? Skim the contributor guide first:
3+
https://frameworks.securityalliance.dev/contribute/contributing
4+
-->
25

3-
Thank you for contributing to the Security Frameworks! Before you open a PR, make sure to read [information for contributors](https://frameworks.securityalliance.dev/contribute/contributing) and take a look at the following checklist:
6+
### What does this PR change?
7+
<!-- A short summary: what you changed and why. -->
8+
<!-- Opened an issue first, or completing one? Add "Closes #123" here so the issue auto-closes when this PR merges. -->
49

5-
- [ ] Describe your changes, substitute this text with the information
6-
- [ ] If you are touching an existing piece of content, tag current contributors from the attribution list
7-
- [ ] If there is a steward for that framework, ask the steward to review it
8-
- [ ] If you're modifying the general outline, make sure to update it in the `vocs.config.ts` adding the `dev: true` parameter
9-
- [ ] If you need feedback for your content from the wider community, share the PR in our Discord
10-
- [ ] Review changes to ensure there are no typos; see instructions below.
10+
### Type of change
11+
- [ ] New content
12+
- [ ] Edit to existing content
13+
- [ ] Outline / structure change
14+
- [ ] Typo or formatting fix
15+
- [ ] Tooling / config
1116

12-
<!--
13-
ℹ️ Checking for typos locally
14-
1. Install [markdownlint-cli2](https://github.com/DavidAnson/markdownlint-cli2)
15-
2. Install [just](https://github.com/casey/just)
16-
3. Run `npx just lint`
17-
-->
17+
### If applicable
18+
- [ ] Editing existing content: tagged the current contributors from the attribution list
19+
- [ ] Framework has a steward: asked them to review
20+
- [ ] Outline change: updated `vocs.config.ts` with the `dev: true` parameter
21+
- [ ] Want community feedback: shared this PR in our Discord
22+
23+
Stuck on anything? Just write it here and we're happy to help.

.github/dependabot.yml

Lines changed: 97 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,97 @@
1+
version: 2
2+
3+
updates:
4+
- package-ecosystem: "npm"
5+
directory: "/"
6+
7+
schedule:
8+
interval: "weekly"
9+
day: "monday"
10+
time: "09:00"
11+
timezone: "UTC"
12+
13+
target-branch: "develop"
14+
15+
# Normal version updates only.
16+
# Security updates are not delayed by cooldown.
17+
cooldown:
18+
default-days: 7
19+
semver-patch-days: 7
20+
semver-minor-days: 14
21+
semver-major-days: 30
22+
23+
open-pull-requests-limit: 5
24+
25+
# Conservative npm behavior:
26+
# do not rewrite package.json ranges unless needed.
27+
versioning-strategy: "increase-if-necessary"
28+
29+
groups:
30+
pnpm-patch:
31+
applies-to: "version-updates"
32+
patterns:
33+
- "*"
34+
update-types:
35+
- "patch"
36+
37+
pnpm-minor:
38+
applies-to: "version-updates"
39+
patterns:
40+
- "*"
41+
update-types:
42+
- "minor"
43+
44+
# Block routine major updates.
45+
# Handle majors manually / intentionally.
46+
ignore:
47+
- dependency-name: "*"
48+
update-types:
49+
- "version-update:semver-major"
50+
51+
commit-message:
52+
prefix: "chore(deps)"
53+
54+
labels:
55+
- "dependencies"
56+
57+
- package-ecosystem: "github-actions"
58+
directory: "/"
59+
60+
schedule:
61+
interval: "weekly"
62+
day: "monday"
63+
time: "09:00"
64+
timezone: "UTC"
65+
66+
target-branch: "develop"
67+
68+
cooldown:
69+
default-days: 7
70+
71+
open-pull-requests-limit: 3
72+
73+
groups:
74+
actions-patch:
75+
applies-to: "version-updates"
76+
patterns:
77+
- "*"
78+
update-types:
79+
- "patch"
80+
81+
actions-minor:
82+
applies-to: "version-updates"
83+
patterns:
84+
- "*"
85+
update-types:
86+
- "minor"
87+
88+
ignore:
89+
- dependency-name: "*"
90+
update-types:
91+
- "version-update:semver-major"
92+
93+
commit-message:
94+
prefix: "chore(gha)"
95+
96+
labels:
97+
- "dependencies"
Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
{
2+
".": "0.0.0"
3+
}
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
{
2+
"packages": {
3+
".": {
4+
"release-type": "simple",
5+
"component": "Security Frameworks"
6+
}
7+
}
8+
}

.github/workflows/md-lint.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,8 @@ jobs:
99
lint:
1010
runs-on: ubuntu-latest
1111
steps:
12-
- uses: actions/checkout@v4
13-
- uses: DavidAnson/markdownlint-cli2-action@v20
12+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
13+
- uses: DavidAnson/markdownlint-cli2-action@ded1f9488f68a970bc66ea5619e13e9b52e601cd # v23.2.0
1414
continue-on-error: true
1515
with:
1616
globs: |

.github/workflows/preview-build.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -14,16 +14,16 @@ jobs:
1414
name: Build Preview Site
1515
steps:
1616
- name: Checkout
17-
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
17+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
1818
with:
1919
fetch-depth: 1
2020
persist-credentials: false
2121

2222
- name: Setup pnpm
23-
uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
23+
uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
2424

2525
- name: Setup Node.js
26-
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
26+
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
2727
with:
2828
node-version: 22
2929
cache: pnpm
@@ -37,10 +37,10 @@ jobs:
3737
CF_PAGES_BRANCH: ${{ github.head_ref }}
3838

3939
- name: Upload build artifact
40-
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
40+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
4141
with:
4242
name: preview-build
43-
path: docs/dist
43+
path: dist/public
4444
include-hidden-files: true
4545
if-no-files-found: error
4646
retention-days: 1

.github/workflows/preview-deploy.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ jobs:
2727
url: ${{ steps.cloudflare-preview-deploy.outputs.alias || steps.cloudflare-preview-deploy.outputs.url }}
2828
steps:
2929
- name: Download build artifact
30-
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
30+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
3131
id: preview-build-artifact
3232
with:
3333
name: preview-build
Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
name: Release Please
2+
3+
on:
4+
push:
5+
branches: [main]
6+
7+
permissions:
8+
contents: write
9+
pull-requests: write
10+
11+
jobs:
12+
release-please:
13+
runs-on: ubuntu-latest
14+
steps:
15+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
16+
- name: Create or update release PR
17+
uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
18+
with:
19+
target-branch: main
20+
config-file: .github/release-please/release-please-config.json
21+
manifest-file: .github/release-please/.release-please-manifest.json

.github/workflows/s3-upload.yml

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ jobs:
3737
# Step 0: Verify user permissions
3838
- name: Verify user permissions
3939
id: check-permissions
40-
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
40+
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
4141
with:
4242
script: |
4343
const allowed = ['admin', 'maintain', 'triage'];
@@ -61,7 +61,7 @@ jobs:
6161
6262
# Step 1: Acknowledge the command by adding a reaction
6363
- name: React to command
64-
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
64+
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
6565
with:
6666
script: |
6767
// Add an "eyes" emoji reaction to the comment to show we're processing
@@ -75,7 +75,7 @@ jobs:
7575
# Step 2: Extract GitHub image URLs from the comment
7676
- name: Extract GitHub image URLs
7777
id: extract-urls
78-
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
78+
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
7979
with:
8080
script: |
8181
const comment = context.payload.comment.body;
@@ -193,24 +193,24 @@ jobs:
193193
194194
# Step 4: Checkout repository
195195
- name: Checkout repository
196-
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
196+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
197197

198198
# Step 5: Setup Node.js and pnpm
199199
- name: Setup Node.js
200-
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
200+
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
201201
with:
202202
node-version: "20"
203203

204204
# Step 6: Install pnpm
205205
- name: Setup pnpm
206-
uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
206+
uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
207207
with:
208208
version: 10.15.0
209209
run_install: false
210210

211211
# Step 7: Cache pnpm dependencies
212212
- name: Cache pnpm dependencies
213-
uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
213+
uses: actions/cache@caa296126883cff596d87d8935842f9db880ef25 # v5.1.0
214214
id: pnpm-cache
215215
with:
216216
path: |
@@ -228,7 +228,7 @@ jobs:
228228
229229
# Step 9: Write URLs to a temp file for the processing script
230230
- name: Write URLs to file
231-
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
231+
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
232232
with:
233233
script: |
234234
const fs = require('fs');
@@ -248,7 +248,7 @@ jobs:
248248
249249
# Step 9b: Configure AWS credentials using OIDC (just-in-time before upload)
250250
- name: Configure AWS credentials
251-
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
251+
uses: aws-actions/configure-aws-credentials@254c19bd240aabef8777f48595e9d2d7b972184b # v6.2.1
252252
with:
253253
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
254254
aws-region: ${{ secrets.AWS_REGION }}
@@ -265,7 +265,7 @@ jobs:
265265
# Run script and capture output
266266
TEMP_OUTPUT=$(mktemp)
267267
set +e
268-
node .github/scripts/process-images.js > "$TEMP_OUTPUT" 2>&1
268+
node .github/scripts/process-images.cjs > "$TEMP_OUTPUT" 2>&1
269269
EXIT_CODE=$?
270270
set -e
271271
@@ -296,7 +296,7 @@ jobs:
296296
297297
# Step 11: Comment results back to PR and check for failures
298298
- name: Comment results and check failures
299-
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
299+
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
300300
env:
301301
RESULTS_FILE_PATH: ${{ env.RESULTS_FILE_PATH }}
302302
with:

0 commit comments

Comments
 (0)