OWASP · jgadsden · Jan 17, 2026 · Jan 17, 2026 · Jan 17, 2026 · Jan 17, 2026
@@ -25,3 +25,6 @@ CVE-2025-15284
 
 # ignore diff vulnerability as used in development package only
 GHSA-73rr-hh4g-fpgx
+
+#  tar is used during development/build only, not runtime
+CVE-2026-23745 
@@ -65,7 +65,7 @@ jobs:
         uses: actions/[email protected]
 
       - name: Spell check EN language
-        uses: rojopolis/spellcheck-github-actions@0.55.0
+        uses: rojopolis/spellcheck-github-actions@0.56.0
         with:
           config_path: .spellcheck.yaml
 

@@ -17,18 +17,20 @@ Threat Dragon will check a threat model against the schema when it is loading an
 but it will not stop the threat model from loading.
 
 If there is doubt about a threat model then ajv (Another JSON Validator) can be run from the
-command line to provide details of any discrepancy:
+command line to provide detail for most errors or omissions:
 
 ```text
 sudo npm install -g ajv-cli
 # if validating a version 1.x threat model
-ajv validate -s ~/owasp.threat-dragon.schema.V1.json  --all-errors  --verbose \
+ajv validate -s ~/threat-dragon-v1.schema.json  --all-errors  --verbose \
     -d ThreatDragonModels/demo-threat-model.json
 # or if validating a version 2.x threat model
-ajv validate --allow-union-types -s ~/owasp.threat-dragon.schema.V2.json  --all-errors  --verbose \
+ajv validate --allow-union-types -s ~/threat-dragon-v2.schema.json  --all-errors  --verbose \
     -d ThreatDragonModels/v2-threat-model.json
 ```
 
+The commands use a schema downloaded from either [version 1][td-v1-schema] or [version 2][td-v2-schema] schema files.
+
 ### TM-BOM
 
 The schema for the Threat Modeling - Bill of Materials (TM-BOM) file format is being developed as part of the
@@ -83,7 +85,7 @@ Threat Dragon: _making threat modeling less threatening_
 
 [json-schema]: https://json-schema.org/
 [otm-schema]: https://github.com/iriusrisk/OpenThreatModel/blob/main/otm_schema.json
-[td-v1-schema]: https://github.com/OWASP/threat-dragon/blob/main/td.vue/src/assets/owasp.threat-dragon.schema.V1.json
-[td-v2-schema]: https://github.com/OWASP/threat-dragon/blob/main/td.vue/src/assets/owasp.threat-dragon.schema.V2.json
+[td-v1-schema]: https://github.com/OWASP/threat-dragon/blob/main/td.vue/src/assets/schema/threat-dragon-v1.schema.json
+[td-v2-schema]: https://github.com/OWASP/threat-dragon/blob/main/td.vue/src/assets/schema/threat-dragon-v2.schema.json
 [tm-library]: https://github.com/OWASP/www-project-threat-model-library
 [tm-library-schema]: https://github.com/OWASP/www-project-threat-model-library/blob/main/threat-model.schema.json
@@ -21,13 +21,12 @@ navigating to the `td.vue` directory and running `npm run test:unit -- --watch`
 ### Mocha backend testing
 
 Unit testing for the server application `td.server` is done using [Mocha](https://mochajs.org/),
-with a little help from our friends Sinon.JS and [chai](https://www.chaijs.com/).
-To run the tests locally navigate to the `td.server` directory and run: `npm run test:unit`
+with a little help from our friends [Sinon.JS][sinon] and [chai][chai].
+To run the tests locally navigate to the `td.server` directory and run `npm run test:unit` or `npm test`.
 
 ## Code Coverage
 
-When you run unit tests for both the front-end and back-end application,
-you will be presented with a code coverage report.
+Run unit tests with `npm test` for either the front-end and back-end application to obtain the code coverage report.
 There will be an HTML report generated as well that you can view to
 dig deeper into what sections may be missing coverage.
 
@@ -36,3 +35,6 @@ We hope to keep the code coverage as high as possible.  If you need help writing
 ----
 
 Threat Dragon: _making threat modeling less threatening_
+
+[chai]: https://www.chaijs.com/
+[sinon]: https://sinonjs.org/
@@ -1,5 +1,5 @@
 {
-  "$id": "https://owasp.org/www-project-threat-dragon/assets/schemas/owasp.threat-dragon.schema.V1.json",
+  "$id": "https://github.com/OWASP/threat-dragon/tree/main/td.vue/src/assets/schema/threat-dragon-v1.schema.json",
   "title": "Threat Dragon model schema",
   "description": "The threat models used by OWASP Threat Dragon",
   "type": "object",

@@ -1,5 +1,5 @@
 {
-  "$id": "https://owasp.org/www-project-threat-dragon/assets/schemas/owasp.threat-dragon.schema.V2.json",
+  "$id": "https://github.com/OWASP/threat-dragon/tree/main/td.vue/src/assets/schema/threat-dragon-v2.schema.json",
   "title": "Threat Dragon model schema",
   "description": "The threat models used by OWASP Threat Dragon",
   "type": "object",

@@ -1,5 +1,5 @@
 {
-  "$id": "https://owasp.org/www-project-threat-dragon/assets/schemas/threat.model.format.schema.json",
+  "$id": "https://github.com/OWASP/threat-dragon/tree/main/td.vue/src/assets/schema/threat-model-format.schema.json",
   "title": "Threat Model Format",
   "description": "An open Threat Model Format (TMF) for threat models",
   "type": "object",

@@ -340,7 +340,7 @@ export default {
             return this.activeGame?.getCardCategory(this.card.number);
         },
         cardUrl() {
-            return this.activeGame?.getCardUrl(this.card.number)
+            return this.activeGame?.getCardUrl(this.card.number);
         }
     },
     data() {
@@ -391,7 +391,7 @@ export default {
                 );
             } else {
                 this.selectedGameId = this.threat.eopGameId;
-                this.card.suit = this.activeGame?.getCardCategory(this.threat.cardNumber);;
+                this.card.suit = this.activeGame?.getCardCategory(this.threat.cardNumber);
                 this.card.number = this.threat.cardNumber;
                 this.number = this.threat.number;
                 this.newThreat = state === 'new';

@@ -3,8 +3,8 @@ import addFormats from 'ajv-formats';
 import otm from '@/service/migration/otm/openThreatModel';
 import tmBom from '@/service/migration/tmBom/threatModelBom';
 
-const schemaV1 = require('@/assets/schema/owasp-threat-dragon-v1.schema');
-const schemaV2 = require('@/assets/schema/owasp-threat-dragon-v2.schema');
+const schemaV1 = require('@/assets/schema/threat-dragon-v1.schema');
+const schemaV2 = require('@/assets/schema/threat-dragon-v2.schema');
 
 const ajv = new Ajv({'allowUnionTypes' : true});
 addFormats(ajv);

@@ -11,15 +11,15 @@ export default {
 
     getData() {
         switch (i18n.get().locale) {
-            case 'spa':
-                return cornucopiaES;
-            case 'fra':
-                return cornucopiaFR;
-            case 'rus':
-                return cornucopiaRU;
-            case 'eng':
-            default:
-                return cornucopiaEN;
+        case 'spa':
+            return cornucopiaES;
+        case 'fra':
+            return cornucopiaFR;
+        case 'rus':
+            return cornucopiaRU;
+        case 'eng':
+        default:
+            return cornucopiaEN;
         }
     },