mirror of
https://github.com/ruvnet/RuVector.git
synced 2026-05-23 12:55:26 +00:00
7962366713
Mirrors the pattern landed on sublinear-time-solver#25:
1. dependency-review (PRs only, informational)
2. cargo-audit (RustSec advisory DB, vulnerabilities only)
3. cargo-deny (license/source/ban policy via deny.toml)
4. npm-audit (workspace npm/ at --audit-level=critical)
5. lockfile-integrity (cargo metadata --locked)
npm criticals cleared via package.json overrides:
- vm2: transitively dropped via @google-cloud/redis 5.x
- fast-xml-parser: >=5.7.0 (was <=5.6.0 vuln)
- protobufjs: >=7.5.6 (was <=7.5.5 vuln)
- @google-cloud/redis: >=5.0.0 (was <=3.3.0 vuln)
- handlebars: picked up >=4.7.9 via override resolution
Result: 73 vulns → 33 (3 crit → 0, 36 high → 19, 17 medium → 5).
19 highs remain (mostly devDep transitives + ML helpers) and are
tracked via the new dependabot.yml — Dependabot will chip away
weekly.
deny.toml ignore-list with re-review dates covers:
- RUSTSEC-2023-0071 rsa Marvin Attack (no patched version yet,
local-only signing for Kalshi API; re-review
2026-08-01)
- RUSTSEC-2026-0097 rand unsoundness (not triggerable in our
usage — no logging inside RNG draws)
- RUSTSEC-2026-0115/0116/0117 imageproc unsoundness (scipix
offline examples only, never published)
- 8 unmaintained advisories (paste, bincode, instant, rand_os,
proc-macro-error, rustls-pemfile, rusttype, number_prefix,
core2) — all transitive, no CVE, tracked for migration
Added BSL-1.0, CDLA-Permissive-2.0, NCSA licenses to allowlist
(present in transitive deps via xxhash-rust, tch-rs, LLVM family).
dependabot.yml schedules weekly Tuesday 09:35 UTC for cargo +
npm + github-actions ecosystems with patch+minor grouping.
Co-Authored-By: claude-flow <ruv@ruv.net>
43 lines
1.3 KiB
JSON
43 lines
1.3 KiB
JSON
{
|
|
"name": "@ruvector/workspace",
|
|
"version": "0.1.0",
|
|
"private": true,
|
|
"workspaces": [
|
|
"packages/*"
|
|
],
|
|
"scripts": {
|
|
"build": "npm run build --workspaces --if-present",
|
|
"test": "node tests/run-all-tests.js",
|
|
"test:unit": "node tests/run-all-tests.js --only=unit",
|
|
"test:integration": "node tests/run-all-tests.js --only=integration",
|
|
"test:perf": "node tests/run-all-tests.js --perf",
|
|
"test:workspaces": "npm run test --workspaces --if-present",
|
|
"clean": "npm run clean --workspaces --if-present",
|
|
"lint": "npm run lint --workspaces --if-present",
|
|
"format": "prettier --write \"packages/**/*.{ts,js,json,md}\"",
|
|
"typecheck": "npm run typecheck --workspaces --if-present"
|
|
},
|
|
"devDependencies": {
|
|
"@types/node": "^20.10.0",
|
|
"@typescript-eslint/eslint-plugin": "^6.13.0",
|
|
"@typescript-eslint/parser": "^6.13.0",
|
|
"eslint": "^8.54.0",
|
|
"prettier": "^3.1.0",
|
|
"typescript": "^5.3.0"
|
|
},
|
|
"engines": {
|
|
"node": ">=18.0.0",
|
|
"npm": ">=9.0.0"
|
|
},
|
|
"overrides": {
|
|
"node-forge": ">=1.4.0",
|
|
"flatted": ">=3.3.3",
|
|
"picomatch": ">=4.0.3",
|
|
"lodash": ">=4.17.22",
|
|
"brace-expansion": ">=2.0.2",
|
|
"fast-xml-parser": ">=5.7.0",
|
|
"protobufjs": ">=7.5.6",
|
|
"@google-cloud/redis": ">=5.0.0",
|
|
"vm2": ">=3.11.5"
|
|
}
|
|
}
|