Skip to content

Commit c5a04e8

Browse files
author
Eddie Knight
authored
Added dependencies policy (#3456)
Extended SECURITY-INSIGHTS.yml for CLOMonitor score Signed-off-by: Eddie Knight <[email protected]>
1 parent c3860fe commit c5a04e8

File tree

2 files changed

+17
-0
lines changed

2 files changed

+17
-0
lines changed

CONTRIBUTING.md

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -82,3 +82,17 @@ Date: Thu Feb 2 11:41:15 2018 -0800
8282
Notice how the `Author` and `Signed-off-by` lines match. If they do not match the PR will be rejected by the automated DCO check.
8383

8484
If more than one person contributed to a commit than there can be more than one `Signed-off-by` line where each line is a signoff from a different person who contributed to the commit.
85+
86+
87+
## Dependencies Policy
88+
89+
Dependencies must be evaluated before being introduced to ensure they:
90+
91+
1) are actively maintained
92+
2) are maintained by trustworthy maintainers
93+
94+
These evaluations vary from dependency to dependencies.
95+
96+
Dependencies are also scheduled for removal if that project has been deprecated or if the project is no longer maintained.
97+
98+
CVEs in dependencies will be patched for all supported versions if the CVE is applicable and is assessed as a high or critical severity.

SECURITY-INSIGHTS.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,3 +19,6 @@ security-contacts:
1919
2020
vulnerability-reporting:
2121
accepts-vulnerability-reports: true
22+
dependencies:
23+
env-dependencies-policy:
24+
policy-url: https://github.com/artifacthub/hub/blob/master/CONTRIBUTING.md#dependencies-policy

0 commit comments

Comments
 (0)