Merge branch 'master' of github.com:pustovitDmytro/npm-boilerplate

.circleci/config.yml

@@ -7,7 +7,19 @@ cache-defaults: &cache-defaults
     - -{{ checksum "package-lock.json" }}
 
 parameters:
-  env-tests:
+  skip-fossa:
+    type: boolean
+    default: false
+  skip-coveralls:
+    type: boolean
+    default: false
+  skip-security:
+    type: boolean
+    default: false
+  skip-leaks:
+    type: boolean
+    default: false
+  skip-deploy:
     type: boolean
     default: false
 
@@ -48,6 +60,9 @@ aliases:
   - &security
     name: Validate dependencies
     command: npm run test:security
+  - &security-all
+    name: Validate dev-dependencies
+    command: npm audit
   - &install
     name: Installing Dependencies
     command: npm ci
@@ -72,13 +87,33 @@ jobs:
   install:
     <<: *defaults
     steps:
-      - run: *fossa-install
+      - when:
+          condition:
+            not: << pipeline.parameters.skip-fossa >>
+          steps:
+            - run: *fossa-install
       - checkout
       - run: *install
       - run: *security
       - run: *danger-pr
-      - run: *fossa-analize
+      - when:
+          condition:
+            not: << pipeline.parameters.skip-fossa >>
+          steps:
+            - run: *fossa-analize
       - save_cache: *cache-modules
+  test-security:
+    <<: *defaults
+    steps:
+      - checkout
+      - when:
+          condition:
+            not: << pipeline.parameters.skip-security >>
+          steps:
+            - restore_cache:
+                <<: *cache-defaults
+            - run: *security
+            - run: *security-all
   test-coverage:
     <<: *defaults
     steps:
@@ -90,15 +125,23 @@ jobs:
           path: reports
       - store_artifacts:
           path: reports
-      - run: *coveralls
+      - when:
+          condition:
+            not: << pipeline.parameters.skip-coveralls >>
+          steps:
+            - run: *coveralls
   test-fossa:
     <<: *defaults
     steps:
-      - run: *fossa-install
       - checkout
-      - restore_cache:
-          <<: *cache-defaults
-      - run: *fossa-test
+      - when:
+          condition:
+            not: << pipeline.parameters.skip-fossa >>
+          steps:
+            - run: *fossa-install
+            - restore_cache:
+                <<: *cache-defaults
+            - run: *fossa-test
   test-lint:
     <<: *defaults
     steps:
@@ -114,9 +157,13 @@ jobs:
       - image: zricethezav/gitleaks
     steps:
       - checkout
-      - run:
-          name: Run gitleaks
-          command: "gitleaks -v --path . --config-path .gitleaks.toml"
+      - when:
+          condition:
+            not: << pipeline.parameters.skip-leaks >>
+          steps:
+            - run:
+                name: Run gitleaks
+                command: "gitleaks -v --path . --config-path .gitleaks.toml"
   test-debt:
     <<: *defaults
     steps:
@@ -136,19 +183,26 @@ jobs:
   deploy:
     <<: *defaults
     steps:
-        - checkout
-        - restore_cache:
-            <<: *cache-defaults
-        - run:
-            name: Create Release
-            command: "[ -z ${CIRCLE_SKIP_DEPLOY+x} ] && npm run semantic-release || echo 'job skipped'"
+      - checkout
+      - when:
+          condition:
+            not: << pipeline.parameters.skip-deploy >>
+          steps:
+            - restore_cache:
+                <<: *cache-defaults
+            - run:
+                name: Create Release
+                command: if [ -z ${CIRCLE_SKIP_DEPLOY+x} ]; then npm run semantic-release;else echo 'job skipped';fi
 
 workflows:
   version: 2
   main:
     jobs:
       - install:
           context: branches
+      - test-security:
+          requires:
+            - install
       - test-package:
           requires:
             - install
@@ -183,7 +237,3 @@ workflows:
           filters:
             branches:
               only: /pull\/[0-9]+/
-  env-tests:
-    when: << pipeline.parameters.env-tests >>
-    jobs:
-      - install

.dangerfile.js

@@ -6,8 +6,9 @@ const src = danger.git.fileMatch('src/*');
 const tests = danger.git.fileMatch('tests/*');
 const system = danger.git.fileMatch('.*', '.*/**', 'LICENSE.md', 'package-lock.json', 'package.json');
 const isOwner = danger.github.pr.user.login === danger.github.thisPR.owner;
-const renovateBot = 29139614;
-const TrustedBots = [ renovateBot ];
+const renovateBot = 29_139_614;
+const boltBot = 42_819_689;
+const TrustedBots = [ renovateBot, boltBot ];
 // const isBot = danger.github.pr.user.type === 'Bot';
 const isTrustedBot = TrustedBots.includes(danger.github.pr.user.id);
 const modifiedList = danger.git.modified_files.join('\n\n- ');

.github/FUNDING.yml

@@ -0,0 +1 @@
+patreon: pustovit

.github/ISSUE_TEMPLATE/feature_request.md

@@ -13,8 +13,8 @@ Ex. I'm always frustrated when [...]
 
 **Please follow the general troubleshooting steps first:**
 - [ ] I've searched on the [issue tracker](../) before creating one.
-- [ ] I'm running latest package version.
-- [ ] I'm ready to provide help with enhancement, if needed.
+- [ ] I'm running the latest package version.
+- [ ] I'm ready to provide help with enhancement if needed.
 - [ ] Feature will break current functionality
 
 **Describe the solution you'd like**

.github/ISSUE_TEMPLATE/vulnerability.md

@@ -0,0 +1,30 @@
+---
+name: Vulnerability
+about: Report a vulnerability
+title: 'Security: brief description'
+labels: security
+assignees: pustovitDmytro
+---
+
+**Issue Description**
+
+A clear and concise description of what the bug is. Paste here a brief summary of your issue. If you are able to, please also include: the type of vulnerability, for example, the OWASP category.
+
+**Please follow the general troubleshooting steps first:**
+- [ ] I've searched on the [issue tracker](../) before creating one.
+- [ ] The issue relates to the package's dependency.
+- [ ] The issue relates to the codebase.
+- [ ] I'm running the latest package version.
+- [ ] I'm ready to provide help with a fix if needed.
+
+**Screenshots**
+
+If applicable, add screenshots or logs showing the exploitation of the vulnerability.
+
+**Environment:**
+ - Version X.X.X
+ - Node.js version: XXX
+ - Operating System: XXX
+
+**Additional context**
+Add any other context about the problem here.

.github/SECURITY.md

@@ -0,0 +1,34 @@
+# Security Policy
+
+If you’ve found a vulnerability, we would like to know so we can fix it. This notice provides details for how you can let us know about vulnerabilities
+
+## Supported Versions
+
+Only last major version is currently being supported with security updates.
+
+## Reporting a Vulnerability
+
+To report a (suspected) security vulnerability in package code use the **Vulnerability Template** in the issues section.
+
+If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.
+
+Report security bugs in third-party modules to the person or team maintaining the module. Use the **Vulnerability Template** if a dependency version update is needed to resolve the vulnerability.
+
+When you are investigating and reporting the vulnerability, you must not:
+
+* break the law
+* access unnecessary or excessive amounts of data
+* modify third-party data
+* use high-intensity invasive or destructive scanning tools to find vulnerabilities
+* try a denial of service - for example overwhelming a real service with a high volume of requests
+* disrupt production services or systems
+* tell other people about the vulnerability you have found until we have disclosed it
+* social engineer, phish or physically attack any staff or infrastructure
+* demand money to disclose a vulnerability
+
+## Bug bounty
+Unfortunately, we doesn't offer a paid bug bounty programme.
+
+## Comments on this Policy
+
+If you have suggestions on how this process could be improved please submit a pull request.

.lalapsrc.json

@@ -0,0 +1,31 @@
+{
+    "timezone": "Europe/Kiev",
+    "branchPrefix": "lalaps",
+    "labels": [ "dependencies", "security" ],
+    "schedule": [
+        "before 7:00 am every 10 days starting on the 5th day"
+    ],
+    "verbosity": 0,
+    "commitMessageFix": "Chore: fixes npm audit vulnerabilities",
+    "commitMessagePartialFix": "Chore: fixes some npm audit vulnerabilities",
+    "rules": [ 
+        {
+            "advisory": "npm",
+            "automerge": true,
+            "commitMessageFix": "Fix: fixes npm audit vulnerabilities",
+            "commitMessagePartialFix": "Fix: fixes some npm audit vulnerabilities",
+            "production": true,
+            "branch": "npm-production"
+        },
+        {
+            "advisory": "npm",
+            "automerge": true,
+            "branch": "npm"
+        },
+        {
+            "advisory": "npm",
+            "force": true,
+            "branch": "npm-force"
+        }
+    ]
+}

.renovaterc

@@ -3,6 +3,8 @@
         "config:base"
     ],
 
+    "timezone": "Europe/Kiev",
+
     "rangeStrategy": "replace",
     "ignoreUnstable": true,
 
@@ -18,7 +20,7 @@
         "enabled": true,
         "automerge": true,
         "schedule": [
-            "before 3am on the 15th through 20th day of the month"
+            "before 7:00 am every 10 days starting on the 5th day"
         ]
     },
 
@@ -59,7 +61,7 @@
             "rangeStrategy": "bump",
             "semanticCommitType": "Chore",
             "schedule": [
-                "before 3am on the 1th through 5th day of the month"
+                "before 7:00 am every 10 days starting on the 1st day"
             ],
             "automerge": true
         },

.whitesource

@@ -0,0 +1,12 @@
+{
+  "scanSettings": {
+    "baseBranches": []
+  },
+  "checkRunSettings": {
+    "vulnerableCheckRunConclusionLevel": "failure",
+    "displayMode": "diff"
+  },
+  "issueSettings": {
+    "minSeverityLevel": "LOW"
+  }
+}