See also: COST_SAFETY.md for the threat model and mitigations around runaway-cost attacks (bandwidth, LLM-invocation, email-quota abuse).
Following the ongoing Shai-Hulud / Mini Shai-Hulud / TeamPCP npm worm waves (Sep 2025 → May 2026, > 400 packages compromised across at least 5 distinct campaigns, including TanStack, Mistral AI, OpenSearch, Guardrails AI, AntV, and axios), this repo applies the following free, no-paid-service defense layers:
| Layer | Implementation | Effect |
|---|---|---|
| Cooldown (npm side) | .npmrc minimum-release-age=10080 (= 7 days) |
Refuses to install any package version published less than 7 days ago. Absorbs essentially all known supply-chain attack lifetimes (axios 2026-03 = 4-5 h; Shai-Hulud TanStack 2026-05 = 22 m publish burst). |
| Cooldown (Dependabot side) | .github/dependabot.yml cooldown: with 5 / 7 / 14 day gates per semver level, applied to npm + github-actions + pip ecosystems |
Defers automated update PRs until the cooldown window clears. |
| Lifecycle script gate | NOT applied here (intentional exception) | The sibling ignore-scripts=true layer is incompatible with this repo's build: ADR-0056's postinstall script generates apps/knowledge/src/lib/attestation-data.json (gitignored) before typecheck. We rely on the remaining layers + lockfile-pinned versions to keep the attack surface bounded, since the only post-install code that runs at install time is the in-tree generator and the lockfile is frozen-installed in CI. |
| Audit floor | .npmrc audit-level=high + pnpm audit in CI |
Fails on any high-or-critical advisory. |
| Lockfile integrity | pnpm install --frozen-lockfile in CI (existing) |
Verifies every package against its committed integrity hash. |
| Static + dep audit | pnpm typecheck + CodeQL + Socket Security + Vercel preview checks (existing) |
Multiple complementary scanners. |
Primary sources:
- pnpm
minimumReleaseAgeshipped in pnpm 10.16 (2025-09); default-on in pnpm 11.0 (2026-05) at 1 day. - Dependabot
cooldown:shipped 2025-07-01 (GitHub Changelog). - 7-day window rationale: cooldowns.dev.
This is a solo portfolio project. Only the main branch is supported. Please exercise main's current HEAD when reporting.
If you discover a security issue in the code, the infrastructure, or the live demo at https://craftstack-collab.vercel.app, please do not open a public issue.
Instead, open a private security advisory on GitHub:
https://github.com/leagames0221-sys/craftstack/security/advisories/new
Include:
- A short description of the issue
- Reproduction steps or a proof-of-concept
- The component affected (e.g. Auth.js callback, API route handler, migration SQL)
- Any mitigation ideas you have
I aim to acknowledge reports within 72 hours and to publish a fix or a detailed plan within 14 days. If the issue is high-severity and requires production action (rotating secrets, revoking tokens, pulling the deployment), I will act immediately.
In scope:
- Code in this repository
- The Vercel deployments of Boardly (
craftstack-collab) and Knowlex (craftstack-knowledge) - The Neon database schemas and migrations (both
boardly-dbandknowlex-db) - The Pusher Channels integration that powers Boardly realtime fanout
Out of scope:
- Vulnerabilities in upstream dependencies (please report those to the respective maintainers; I will update once they publish a fix)
- Social engineering against me or other contributors
- Physical attacks on Vercel, Neon, or Upstash infrastructure
Security researchers and friendly observers who report issues responsibly are acknowledged in release notes (with permission).
This policy is reviewed annually (or sooner if the threat model materially changes). Last reviewed: 2026-04-28 (v0.5.10 ship, alongside OpenSSF Scorecard adoption per ADR-0059).