Skip to content

CONTRIBUTING.md

Latest commit

 

History

History
66 lines (50 loc) · 2.37 KB

CONTRIBUTING.md

File metadata and controls

66 lines (50 loc) · 2.37 KB

Contributing to SafeInstall

Thanks for considering a contribution. SafeInstall sits in the install path of every developer who uses it, so we hold the bar high for safety, deterministic behavior, and a small dependency footprint.

Development setup

git clone https://github.com/ATOM00blue/safeinstall.git
cd safeinstall
go test ./...
go build -o sical ./cmd/safeinstall   # local binary; rename if Windows AV is twitchy
./sical check lodash

Go 1.22+ supported. We use stdlib only — please don't add runtime dependencies without prior discussion.

What we want

  • Typosquat additions. Pull requests adding popular package names to internal/typosquat/{npm,pypi,cargo}_top.go.
  • False-positive reports. A trusted package scoring > 50 unfairly. Open an issue with the package name and the report output (--json).
  • New detection signals for documented attack patterns. Open an issue describing the pattern before opening a PR.
  • Bug reports that are reproducible (provide ecosystem, package name, version, expected vs actual).
  • Doc improvements, especially real-world usage examples.

What we will NOT accept (without prior discussion)

  • New runtime dependencies. We use stdlib + a single dev-only dep (none yet). This is intentional. Security tools should be small.
  • Vendor-specific allowlists in code. Use the --allowlist flag or .safeinstall.json.
  • Telemetry or any non-essential network call. The user's network calls are: registry lookup, OSV lookup. That's it.
  • Auto-uninstall or auto-quarantine logic. Detection only; user takes action. v0.1 boundary.

Pull request checklist

  • go test ./... passes
  • go vet ./... clean
  • No new go.mod entries (unless discussed)
  • If adding a signal: documented in README.md "Risk signals" table
  • If touching scoring: explain the weight choice in the PR description
  • Functions have brief doc comments

Reporting a malicious package

If you discover a malicious package in the wild:

  1. Report to the registry first (npm, PyPI, crates.io) — they have takedown power.
  2. Submit it to OSV at https://osv.dev — that's the source we query.
  3. Open an issue here so we can add an integration test fixture.

We do not ship a private IOC list. Use OSV.

License

By contributing, you agree your contributions will be licensed under the MIT License.