Skip to content

Security: jane-alesi/js-chess-engine

Security

SECURITY.md

Security Policy

πŸ”’ Security Updates - Issue #30 Resolution

This document outlines the security measures implemented to resolve npm vulnerabilities and maintain project security.

βœ… Security Fixes Applied (June 10, 2025)

Dependency Updates

  • ESLint: ^8.0.0 β†’ ^9.28.0
    • ⚠️ Critical: v8.x support ended October 5, 2024
    • βœ… Fixed: Updated to latest supported version with security patches
  • Jest: ^29.0.0 β†’ ^29.7.0
    • βœ… Updated: Latest stable version with security improvements
  • Prettier: ^3.0.0 β†’ ^3.3.3
    • βœ… Updated: Latest stable version
  • Live-server: ^1.2.2 (maintained)
    • βœ… Verified: No known vulnerabilities

Transitive Dependency Security Overrides

  • uuid: Force ^10.0.0 (fixes Math.random() vulnerability)
  • glob: Force ^11.0.0 (updates from unsupported v7.x)
  • rimraf: Force ^6.0.1 (latest secure version)
  • opn: Replace with open@^10.1.0 (opn deprecated)

Configuration Updates

  • ESLint Migration: Added eslint.config.js (flat config format for v9.x)
  • ESLint Globals: Added timer functions (setTimeout, setInterval, etc.)
  • Security Scripts: Added npm run security-check, security-fix, and security-fix-force

πŸ›‘οΈ Security Verification Steps

For Developers

  1. Install Dependencies:

    npm install

  2. Run Security Audit:

    npm run security-check
# or
npm audit

  3. Apply Security Fixes:

    npm run security-fix
# or for force fixes
npm run security-fix-force

  4. Verify Zero Vulnerabilities:

    npm audit
# Should report: "found 0 vulnerabilities"

  5. Run Linting:

    npm run lint
# Should pass without errors

πŸ” Advanced Security Features

npm Overrides Protection

The project uses package.json overrides to force secure versions of transitive dependencies:

{
    "overrides": {
        "uuid": "^10.0.0",
        "glob": "^11.0.0",
        "rimraf": "^6.0.1",
        "open": "^10.1.0",
        "opn": "npm:open@^10.1.0"
    }
}

Automated Checks

  • CI/CD Integration: Security audits run automatically in GitHub Actions
  • Regular Updates: Dependencies monitored for security updates
  • Vulnerability Scanning: Automated scanning for new vulnerabilities
  • ESLint Security Rules: Code quality and security enforcement

Manual Security Reviews

  • Monthly Audits: Regular security audits of all dependencies
  • Version Monitoring: Track security advisories for used packages
  • Code Review: Security-focused code review for all changes

πŸ“‹ Security Best Practices

Development Guidelines

  1. Keep Dependencies Updated: Regular updates to latest secure versions
  2. Use Overrides: Force secure versions of transitive dependencies
  3. Minimize Dependencies: Only include necessary packages
  4. Audit Before Release: Security audit before any release
  5. Monitor Advisories: Subscribe to security advisories for used packages

Reporting Security Issues

If you discover a security vulnerability:

  1. Do NOT create a public issue
  2. Email security concerns to: ja@satware.ai
  3. Include detailed description and reproduction steps
  4. Allow 48 hours for initial response

🎯 Security Targets

Zero Tolerance Policy

  • Zero Known Vulnerabilities: No unpatched security vulnerabilities
  • Latest Stable Versions: Use latest stable versions of all dependencies
  • Secure Transitive Dependencies: Override vulnerable indirect dependencies
  • Regular Audits: Monthly security audits and updates
  • Immediate Response: Security issues addressed within 24 hours

Compliance Standards

  • OWASP Guidelines: Follow OWASP security best practices
  • npm Security: Adhere to npm security recommendations
  • Industry Standards: Implement industry-standard security measures

πŸ“Š Security Status

Last Security Audit: June 10, 2025
Vulnerabilities Found: 0 (after overrides applied)
Security Score: βœ… SECURE
ESLint Status: βœ… PASSING
Next Scheduled Audit: July 10, 2025

πŸ”— Security Resources

Security Contact: ja@satware.ai
Project Maintainer: Jane Alesi
Last Updated: June 10, 2025

There aren’t any published security advisories