mirror of
https://github.com/kharonsec/br-acc
synced 2026-04-25 17:15:02 +02:00
d4179af665
* chore(ci): add npm audit job for frontend deps in security workflow * docs(frontend/security): document VITE env and JWT storage in CONTRIBUTING * fix(frontend): resolve high-severity npm audit (minimatch, rollup) - npm audit fix for ReDoS in minimatch and path traversal in rollup - Unblocks Security / NPM Audit (frontend) CI check per review Made-with: Cursor --------- Co-authored-by: Bruno César <bruno@sekai.cx>
1.4 KiB
1.4 KiB
Contributing to BR/ACC Open Graph
Language: English | Português (Brasil)
Thanks for helping improve BR/ACC Open Graph.
Ground Rules
- Keep changes aligned with public-interest transparency goals.
- Do not add secrets, credentials, or private infrastructure details.
- Respect public-safe defaults and privacy/legal constraints.
Development Setup
cd api && uv sync --dev
cd ../etl && uv sync --dev
cd ../frontend && npm install
Security and environment
- Frontend env: Only
VITE_*variables are exposed in the client bundle. Do not put secrets inVITE_*; use them only for public config (e.g.VITE_API_URL,VITE_PUBLIC_MODE). - Auth: Keep tokens in memory or HttpOnly cookies only; do not persist JWT in
localStorageorsessionStorage. - Releases: Before releases, run
npm auditinfrontend/and address high/critical findings.
Quality Checks
Run these before opening a pull request:
make check
make neutrality
Pull Request Expectations
- Keep PR scope focused and explain the user impact.
- Include tests for behavior changes.
- Update docs when interfaces or workflows change.
- Ensure all required CI and security checks are green.
AI-Assisted Contributions
AI-assisted contributions are allowed.
Human contributors remain responsible for:
- technical correctness,
- security/privacy compliance,
- and final review/sign-off before merge.