ruvector

vrr/ruvector

Fork 0

mirror of https://github.com/ruvnet/RuVector.git synced 2026-05-31 05:13:39 +00:00

Commit graph

Author	SHA1	Message	Date
ruvnet	7962366713	ci(security): add 5-layer supply-chain CI + clear 3 npm criticals Mirrors the pattern landed on sublinear-time-solver#25: 1. dependency-review (PRs only, informational) 2. cargo-audit (RustSec advisory DB, vulnerabilities only) 3. cargo-deny (license/source/ban policy via deny.toml) 4. npm-audit (workspace npm/ at --audit-level=critical) 5. lockfile-integrity (cargo metadata --locked) npm criticals cleared via package.json overrides: - vm2: transitively dropped via @google-cloud/redis 5.x - fast-xml-parser: >=5.7.0 (was <=5.6.0 vuln) - protobufjs: >=7.5.6 (was <=7.5.5 vuln) - @google-cloud/redis: >=5.0.0 (was <=3.3.0 vuln) - handlebars: picked up >=4.7.9 via override resolution Result: 73 vulns → 33 (3 crit → 0, 36 high → 19, 17 medium → 5). 19 highs remain (mostly devDep transitives + ML helpers) and are tracked via the new dependabot.yml — Dependabot will chip away weekly. deny.toml ignore-list with re-review dates covers: - RUSTSEC-2023-0071 rsa Marvin Attack (no patched version yet, local-only signing for Kalshi API; re-review 2026-08-01) - RUSTSEC-2026-0097 rand unsoundness (not triggerable in our usage — no logging inside RNG draws) - RUSTSEC-2026-0115/0116/0117 imageproc unsoundness (scipix offline examples only, never published) - 8 unmaintained advisories (paste, bincode, instant, rand_os, proc-macro-error, rustls-pemfile, rusttype, number_prefix, core2) — all transitive, no CVE, tracked for migration Added BSL-1.0, CDLA-Permissive-2.0, NCSA licenses to allowlist (present in transitive deps via xxhash-rust, tch-rs, LLVM family). dependabot.yml schedules weekly Tuesday 09:35 UTC for cargo + npm + github-actions ecosystems with patch+minor grouping. Co-Authored-By: claude-flow <ruv@ruv.net>	2026-05-19 08:59:46 -04:00
BAS-More	c6579f6eed	security: add npm overrides for vulnerable transitive dependencies Pins node-forge>=1.4.0, flatted>=3.3.3, picomatch>=4.0.3, lodash>=4.17.22, brace-expansion>=2.0.2 via package.json overrides to resolve Dependabot alerts downstream in BAS-More/RuView. Co-Authored-By: claude-flow <ruv@ruv.net>	2026-04-13 15:42:02 +10:00
rUv	eefcc5322b	feat: Add multi-platform GitHub Actions workflow for native module builds Phase 2: Multi-Platform Native Builds This commit adds comprehensive GitHub Actions CI/CD for building native NAPI modules across all major platforms: ✨ Features: - GitHub Actions workflow with 5-platform matrix build: - Linux (x64, ARM64) - macOS (x64 Intel, ARM64 Apple Silicon) - Windows (x64) - Parallel builds complete in 7-10 minutes - Automated artifact uploads and publishing - Platform-specific npm packages with smart detection 📦 Package Structure: - @ruvector/core - Main package with platform detection - @ruvector/core-{platform} - Platform-specific binaries - Smart loader with automatic platform selection - Optional dependencies ensure minimal install size 🔧 Developer Tools: - scripts/publish-platforms.js - Automated publishing - Comprehensive TypeScript definitions - Smoke tests for each platform - Local build support with napi build 📚 Documentation: - docs/BUILD_PROCESS.md - Complete build guide - docs/PHASE2_MULTIPLATFORM_COMPLETE.md - Phase summary - README for @ruvector/core package - Troubleshooting and cross-compilation guides 🚀 Publishing Workflow: 1. Tag release (git tag v0.1.1) 2. Push to GitHub 3. CI builds all platforms 4. Publishes platform packages 5. Publishes main packages Next: Phase 3 - WASM support with architectural refactoring 🤖 Generated with Claude Code	2025-11-21 13:19:13 +00:00

Author

SHA1

Message

Date

ruvnet

7962366713

ci(security): add 5-layer supply-chain CI + clear 3 npm criticals

Mirrors the pattern landed on sublinear-time-solver#25:
  1. dependency-review  (PRs only, informational)
  2. cargo-audit        (RustSec advisory DB, vulnerabilities only)
  3. cargo-deny         (license/source/ban policy via deny.toml)
  4. npm-audit          (workspace npm/ at --audit-level=critical)
  5. lockfile-integrity (cargo metadata --locked)

npm criticals cleared via package.json overrides:
  - vm2:                 transitively dropped via @google-cloud/redis 5.x
  - fast-xml-parser:     >=5.7.0 (was <=5.6.0 vuln)
  - protobufjs:          >=7.5.6 (was <=7.5.5 vuln)
  - @google-cloud/redis: >=5.0.0 (was <=3.3.0 vuln)
  - handlebars:          picked up >=4.7.9 via override resolution

Result: 73 vulns → 33 (3 crit → 0, 36 high → 19, 17 medium → 5).
19 highs remain (mostly devDep transitives + ML helpers) and are
tracked via the new dependabot.yml — Dependabot will chip away
weekly.

deny.toml ignore-list with re-review dates covers:
  - RUSTSEC-2023-0071  rsa Marvin Attack (no patched version yet,
                       local-only signing for Kalshi API; re-review
                       2026-08-01)
  - RUSTSEC-2026-0097  rand unsoundness (not triggerable in our
                       usage — no logging inside RNG draws)
  - RUSTSEC-2026-0115/0116/0117  imageproc unsoundness (scipix
                       offline examples only, never published)
  - 8 unmaintained advisories (paste, bincode, instant, rand_os,
    proc-macro-error, rustls-pemfile, rusttype, number_prefix,
    core2) — all transitive, no CVE, tracked for migration

Added BSL-1.0, CDLA-Permissive-2.0, NCSA licenses to allowlist
(present in transitive deps via xxhash-rust, tch-rs, LLVM family).

dependabot.yml schedules weekly Tuesday 09:35 UTC for cargo +
npm + github-actions ecosystems with patch+minor grouping.

Co-Authored-By: claude-flow <ruv@ruv.net>

2026-05-19 08:59:46 -04:00

BAS-More

c6579f6eed

security: add npm overrides for vulnerable transitive dependencies

Pins node-forge>=1.4.0, flatted>=3.3.3, picomatch>=4.0.3,
lodash>=4.17.22, brace-expansion>=2.0.2 via package.json overrides
to resolve Dependabot alerts downstream in BAS-More/RuView.

Co-Authored-By: claude-flow <ruv@ruv.net>

2026-04-13 15:42:02 +10:00

rUv

eefcc5322b

feat: Add multi-platform GitHub Actions workflow for native module builds

Phase 2: Multi-Platform Native Builds

This commit adds comprehensive GitHub Actions CI/CD for building native
NAPI modules across all major platforms:

✨ Features:
- GitHub Actions workflow with 5-platform matrix build:
  - Linux (x64, ARM64)
  - macOS (x64 Intel, ARM64 Apple Silicon)
  - Windows (x64)
- Parallel builds complete in 7-10 minutes
- Automated artifact uploads and publishing
- Platform-specific npm packages with smart detection

📦 Package Structure:
- @ruvector/core - Main package with platform detection
- @ruvector/core-{platform} - Platform-specific binaries
- Smart loader with automatic platform selection
- Optional dependencies ensure minimal install size

🔧 Developer Tools:
- scripts/publish-platforms.js - Automated publishing
- Comprehensive TypeScript definitions
- Smoke tests for each platform
- Local build support with napi build

📚 Documentation:
- docs/BUILD_PROCESS.md - Complete build guide
- docs/PHASE2_MULTIPLATFORM_COMPLETE.md - Phase summary
- README for @ruvector/core package
- Troubleshooting and cross-compilation guides

🚀 Publishing Workflow:
1. Tag release (git tag v0.1.1)
2. Push to GitHub
3. CI builds all platforms
4. Publishes platform packages
5. Publishes main packages

Next: Phase 3 - WASM support with architectural refactoring

🤖 Generated with Claude Code

2025-11-21 13:19:13 +00:00

3 commits