feat: package metadata, SECURITY.md and CI Node 24#25
Merged
Conversation
- description: replace generic text with a concise feature summary - exports: add conditional exports map (require/import/types) so bundlers resolve CJS vs ESM automatically without guessing - module: add "module" field pointing to ESM build for legacy bundlers - keywords: expand from 4 to 18 terms covering the actual modules (crypto, jwt, uuid, sorting, queue, cache, http, logging, storage, esm, commonjs) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Node 20 is deprecated on GitHub Actions runners (forced to 24 since 2025-09-19). Change the explicit node-version in setup-node to 24 so the npm publish step runs on the correct declared version. Note: remaining warnings from actions/checkout@v4, actions/setup-node@v4, and softprops/action-gh-release@v2 are internal to those actions (their action.yml still says `runs.using: node20`); those require upstream updates by the action maintainers — the runner already forces Node 24 for them. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…rity invariants - Supported-versions table (14.x active, 13.x critical-only until 2026-12-31) - Private reporting via GitHub Security Advisories + e-mail fallback - Response timeline: 48h ack, 5-day triage, 14-day patch for critical/high - Documents all security invariants enforced in CI: AES-256-GCM, ChaCha20-Poly1305, RSA-OAEP, JWT algorithm allowlist, path confinement, prototype-pollution protection, bcrypt for passwords - Dependency policy: exact pins, 3-month lag, CJS check, Gitleaks scan - Scope: in-scope vs out-of-scope for reports Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove the 13.x critical-fixes exception; only 14.x receives support. All older versions are unsupported. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
package.json— descrição enriquecida, campomodule(ESM), mapaexports(require/import/types), keywords expandidas de 4 para 18 termosSECURITY.md— política de segurança: versões suportadas (14.x apenas), canal de reporte privado via GitHub Security Advisories, SLA de resposta, invariantes de segurança documentadas e política de dependênciasrelease.yml—node-versionatualizado de 20 para 24 (Node 20 está deprecated nos runners do GitHub Actions)Test plan
pr-versionbumpa a versão para14.0.2release.ymlpublica14.0.2no npm🤖 Generated with Claude Code