@felloh-org/lambda-wrapper 1.11.214 → 1.11.216

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/SECURITY.md ADDED
@@ -0,0 +1,58 @@
1
+ # Security Policy
2
+
3
+ ## Supported Versions
4
+
5
+ | Version | Supported |
6
+ |---------|--------------------|
7
+ | Latest | :white_check_mark: |
8
+ | < Latest | :x: |
9
+
10
+ Only the latest published version of `@felloh-org/lambda-wrapper` receives security updates. We recommend always upgrading to the latest version.
11
+
12
+ ## Reporting a Vulnerability
13
+
14
+ If you discover a security vulnerability in this project, please report it responsibly. **Do not open a public GitHub issue.**
15
+
16
+ Email **developers@felloh.com** with:
17
+
18
+ - A description of the vulnerability
19
+ - Steps to reproduce
20
+ - Affected versions
21
+ - Any potential impact assessment
22
+
23
+ You should receive an acknowledgement within 48 hours. We will work with you to understand the issue and coordinate a fix and disclosure timeline.
24
+
25
+ ## Security Practices
26
+
27
+ ### Dependency Management
28
+
29
+ - Production dependencies are audited for high and critical vulnerabilities on every push via the CI pipeline (`yarn audit:check`)
30
+ - Dependabot is enabled for automated dependency update pull requests
31
+ - Yarn resolutions are used to pin transitive dependencies to patched versions where upstream packages have not yet updated
32
+
33
+ ### Authentication and Authorisation
34
+
35
+ - Bearer token authentication via AWS Cognito JWT claims
36
+ - Role-based access control with organisation-scoped permissions
37
+ - All authorisation failures return 401 responses without leaking internal details
38
+
39
+ ### Data Handling
40
+
41
+ - Database credentials are fetched from AWS Secrets Manager at runtime (never hardcoded)
42
+ - All Lambda responses include CORS headers configured for the Felloh API
43
+ - Webhook payloads are signed with HMAC-SHA256 using per-organisation keys
44
+ - Request validation is enforced via declarative constraints before processing
45
+
46
+ ### Logging
47
+
48
+ - Axios errors are automatically sanitised to strip request headers and sensitive data before logging
49
+ - IP addresses and user agent information are logged as silent metrics for incident tracing
50
+ - No secrets, tokens, or credentials are written to logs
51
+
52
+ ## Disclosure Policy
53
+
54
+ We follow coordinated disclosure. Once a fix is available, we will:
55
+
56
+ 1. Release a patched version to npm
57
+ 2. Publish a GitHub advisory if the vulnerability warrants it
58
+ 3. Credit the reporter unless they request anonymity
@@ -1,3 +1,4 @@
1
+ const { DataSource } = require('typeorm');
1
2
  const DotEnv = require('dotenv');
2
3
 
3
4
  DotEnv.config();
@@ -12,9 +13,6 @@ const connectionParams = {
12
13
  `${__dirname}/dist/migration/**/*.ts`,
13
14
  `${__dirname}/dist/migration/**/*.js`,
14
15
  ],
15
- cli: {
16
- migrationsDir: `${__dirname}/src/migration`,
17
- },
18
16
  synchronize: true,
19
17
  logging: false,
20
18
  schema: 'user',
@@ -35,4 +33,4 @@ if (process.env.WAREHOUSE_TYPE === 'postgres') {
35
33
  connectionParams.region = process.env.REGION;
36
34
  }
37
35
 
38
- module.exports = connectionParams;
36
+ module.exports = new DataSource(connectionParams);