Feature Request Checklist
Overview
It's common for folks to post "low-quality" (no repro, just a report of npm audit and/or a CVE link) security reports to projects. Which are largely spam. https://www.joshuakgoldberg.com/blog/please-stop-sending-me-nested-dependency-security-reports and all.
Can we have an opt-in (not even on by default in strict) OctoGuide rule that auto-closes these with an explanation, maybe?
Starting drafts for phrasing:
Thanks for reporting a security issue. This is not the right place to report a potential vulnerability.
Please see (link to contributing guidelines) for our security disclosure policy.
Perhaps there can be a preset / suggestion around specifically the kind of "nested dependency has false positive npm audit complaint" issue? (mochajs/mocha#5650, mochajs/mocha#5671, mochajs/mocha#5779, etc.)
Thanks for reporting a nested dependency security report. It is rare that this kind of nested dependency report actually impacts users. The vast majority (>99.99%) of these reports are false positives that harm security by training developers to ignore audit tools.
If there is a real security vulnerability, please see (link to contributing guidelines) for our security disclosure policy.
In the meantime, you can override the dependency version through your package manager ({ links to common docs }).
Additional Info
Is there a good way to detect these automatically? It'd probably also be good for this to be triggerable with a label. Or, perhaps, a way for a maintainer to trigger it without it surfacing to the user...?
Adding in per-project custom security policy or other docs links is blocked on rule options: #20. That can be a followup for after this. For an initial version of the rule, we can just link to the GitHub standard contribution link.
Similar to #521. That one is about AI; this one is about security reports.
Co-authored-by: @cylewaitforit
🗺️
Feature Request Checklist
mainbranch of the repository.Overview
It's common for folks to post "low-quality" (no repro, just a report of
npm auditand/or a CVE link) security reports to projects. Which are largely spam. https://www.joshuakgoldberg.com/blog/please-stop-sending-me-nested-dependency-security-reports and all.Can we have an opt-in (not even on by default in
strict) OctoGuide rule that auto-closes these with an explanation, maybe?Starting drafts for phrasing:
Perhaps there can be a preset / suggestion around specifically the kind of "nested dependency has false positive
npm auditcomplaint" issue? (mochajs/mocha#5650, mochajs/mocha#5671, mochajs/mocha#5779, etc.)Additional Info
Is there a good way to detect these automatically? It'd probably also be good for this to be triggerable with a label. Or, perhaps, a way for a maintainer to trigger it without it surfacing to the user...?
Adding in per-project custom security policy or other docs links is blocked on rule options: #20. That can be a followup for after this. For an initial version of the rule, we can just link to the GitHub standard contribution link.
Similar to #521. That one is about AI; this one is about security reports.
Co-authored-by: @cylewaitforit
🗺️