Skip to content

feat(security): comprehensive security audit and dependency hardening#40

Merged
PAMulligan merged 1 commit intomainfrom
20-security-audit-and-dependency-hardening
Mar 31, 2026
Merged

feat(security): comprehensive security audit and dependency hardening#40
PAMulligan merged 1 commit intomainfrom
20-security-audit-and-dependency-hardening

Conversation

@PAMulligan
Copy link
Copy Markdown
Collaborator

@PAMulligan PAMulligan commented Mar 31, 2026

Summary

  • Fix dependency vulnerabilities: Updated vitest to 4.1.2, resolving 2 picomatch vulnerabilities (1 high ReDoS, 1 moderate method injection)
  • Add Snyk CI scanning: New security-scan job runs pnpm audit, Snyk vulnerability scanning, and anti-pattern checks on every push/PR
  • Create input sanitization library: scripts/lib/sanitize.js with URL, path, HTML, shell arg, and JSON sanitization to prevent SSRF, XSS, command injection, and prototype pollution
  • Add CSP headers configuration: templates/shared/security-headers.config.js with ready-to-use configs for Next.js, Vite/Express, and Helmet.js
  • Security documentation: Comprehensive best practices guide covering dependencies, input validation, CSP, auth, API security, and CI/CD

Test plan

  • pnpm audit reports no known vulnerabilities
  • ./scripts/check-security.sh passes all checks
  • CI security-scan job runs successfully (requires SNYK_TOKEN secret)
  • Verify CSP headers config integrates with Next.js/Vite projects

Files changed

File Purpose
.github/workflows/ci.yml Added security-scan job with Snyk
.claude/pipeline.config.json Enhanced security configuration
.snyk Snyk policy file
scripts/lib/sanitize.js Input sanitization utilities
templates/shared/security-headers.config.js CSP and security headers
docs/security/SECURITY-BEST-PRACTICES.md Security documentation
package.json / pnpm-lock.yaml vitest update

Closes #20

🤖 Generated with Claude Code

@PAMulligan @claude
feat(security): add comprehensive security audit and dependency harde…
ecd4610 
…ning

- Fix picomatch vulnerabilities by updating vitest to 4.1.2
- Add Snyk scanning to CI workflow with artifact uploads
- Create input sanitization library (URL, path, HTML, shell, JSON)
- Add CSP headers configuration for Next.js, Vite, and Express
- Create security best practices documentation
- Enhance pipeline.config.json with security settings
- Add .snyk policy file for vulnerability management

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@PAMulligan PAMulligan linked an issue Mar 31, 2026 that may be closed by this pull request
Security audit and dependency hardening #20
Closed
@PAMulligan PAMulligan self-assigned this Mar 31, 2026
@PAMulligan PAMulligan added the security Security hardening and auditing label Mar 31, 2026
@PAMulligan PAMulligan moved this from Todo to Done in PMDS Open Source Roadmap Mar 31, 2026
@PAMulligan PAMulligan added this to the v1.1.0 milestone Mar 31, 2026
@PAMulligan PAMulligan merged commit a062669 into main Mar 31, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@PAMulligan PAMulligan

Labels

security Security hardening and auditing

Projects

PMDS Open Source Roadmap
Status: Done

Milestone

v1.1.0

Development

Successfully merging this pull request may close these issues.

Security audit and dependency hardening

1 participant

@PAMulligan