mirror of
https://github.com/coder/code-server.git
synced 2024-11-22 19:23:16 +03:00
fc6064dcd3
* Update Code to 1.94.2 * Convert from yarn to npm This is to match VS Code. We were already partially using npm for the releases so this is some nice alignment. * Update caniuse-lite This was complaining on every unit test. * Update eslint I was having a bunch of dependency conflicts and eslint seemed to be the culprit so I just removed it and set it up again, since it seems things have changed quite a bit. * Update test dependencies I was getting oom when running the unit tests...updating seems to work. * Remove package.json `scripts` property in release The new pre-install script was being included, which is dev-only. This was always the intent; did not realize jq's merge was recursive. * Remove jest and devDependencies in release as well * Update test extension dependencies This appears to be conflicting with the root dependencies. * Fix playwright exec npm does not let you run binaries like yarn does, as far as I know. * Fix import of server-main.js * Fix several tests by waiting for selectors
34 lines
1.5 KiB
Markdown
34 lines
1.5 KiB
Markdown
# Security Policy
|
|
|
|
Coder and the code-server team want to keep the code-server project secure and safe for end-users.
|
|
|
|
## Tools
|
|
|
|
We use the following tools to help us stay on top of vulnerability mitigation.
|
|
|
|
- [dependabot](https://dependabot.com/)
|
|
- Submits pull requests to upgrade dependencies. We use dependabot's version
|
|
upgrades as well as security updates.
|
|
- code-scanning
|
|
- [CodeQL](https://securitylab.github.com/tools/codeql/)
|
|
- Semantic code analysis engine that runs on a regular schedule (see
|
|
`codeql-analysis.yml`)
|
|
- [trivy](https://github.com/aquasecurity/trivy)
|
|
- Comprehensive vulnerability scanner that runs on PRs into the default
|
|
branch and scans both our container image and repository code (see
|
|
`trivy-scan-repo` and `trivy-scan-image` jobs in `build.yaml`)
|
|
- `npm audit`
|
|
- Audits NPM dependencies.
|
|
|
|
## Supported Versions
|
|
|
|
Coder sponsors the development and maintenance of the code-server project. We will fix security issues within 90 days of receiving a report and publish the fix in a subsequent release. The code-server project does not provide backports or patch releases for security issues at this time.
|
|
|
|
| Version | Supported |
|
|
| ------------------------------------------------------- | ------------------ |
|
|
| [Latest](https://github.com/coder/code-server/releases) | :white_check_mark: |
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
To report a vulnerability, please send an email to security[@]coder.com, and our security team will respond to you.
|