npm - @skilly-hand/skilly-hand - Versions diffs - 0.11.1 → 0.12.0 - Mend

@skilly-hand/skilly-hand 0.11.1 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -16,6 +16,24 @@ All notable changes to this project are documented in this file.
 ### Removed
 - _None._
+## [0.12.0] - 2026-04-05
+[View on npm](https://www.npmjs.com/package/@skilly-hand/skilly-hand/v/0.12.0)
+### Added
+- Added `SECURITY.md` policy for vulnerability reporting and response procedures.
+- Added `security-check` script to scan source code for exposed secrets and API keys.
+- Integrated security scanning into the `verify:publish` pipeline to catch credential leaks before release.
+### Changed
+- Updated `.gitignore` to include `.env*` pattern for environment variable files.
+- Updated `verify-packlist.mjs` to whitelist `SECURITY.md` in npm package.
+### Fixed
+- _None._
+### Removed
+- _None._
 ## [0.11.1] - 2026-04-05
 [View on npm](https://www.npmjs.com/package/@skilly-hand/skilly-hand/v/0.11.1)

package/SECURITY.md ADDED Viewed

@@ -0,0 +1,37 @@
+# Security Policy
+## Supported Versions
+Only the latest version published on npm is supported with security fixes. No backport patches are issued for older versions.
+## Reporting a Vulnerability
+If you discover a security vulnerability, please **do not open a public GitHub issue**. Instead, use [GitHub Security Advisories](https://github.com/Davecelot/skilly-hand/security/advisories/new) to report it privately.
+Include as much detail as possible:
+- A description of the vulnerability and its potential impact
+- Steps to reproduce or a minimal proof-of-concept
+- The version of `@skilly-hand/skilly-hand` you are using
+- Your environment (OS, Node.js version)
+## Response Timeline
+This is a solo-maintained project. I will do my best to:
+- Acknowledge the report within a few days
+- Triage and provide an estimated fix timeline once reviewed
+- Publish a patch and disclose the issue publicly after the fix ships
+## Out of Scope
+The following are not considered security vulnerabilities in this project:
+- Content inside skill `.md` files — these are prose instructions for AI agents, not executable code
+- Vulnerabilities in third-party dependencies — please report those directly to the upstream package maintainers
+- Issues that require physical access to the machine running the CLI
+## Please Do Not
+- Disclose the vulnerability publicly before a fix has been released
+- Open a public GitHub issue to report security concerns

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@skilly-hand/skilly-hand",
-  "version": "0.11.1",
+  "version": "0.12.0",
   "license": "CC-BY-NC-4.0",
   "type": "module",
   "publishConfig": {
@@ -14,7 +14,8 @@
     "packages",
     "README.md",
     "CHANGELOG.md",
-    "LICENSE"
+    "LICENSE",
+    "SECURITY.md"
   ],
   "workspaces": [
     "packages/*"
@@ -28,8 +29,9 @@
     "catalog:sync": "node ./scripts/sync-catalog-readme.mjs",
     "agentic:self:sync": "node ./scripts/sync-self-agentic.mjs",
     "test": "node --test tests/*.test.js",
+    "security:check": "node ./scripts/security-check.mjs",
     "verify:packlist": "node ./scripts/verify-packlist.mjs",
-    "verify:publish": "npm run catalog:check && npm test && npm run verify:packlist",
+    "verify:publish": "npm run security:check && npm run catalog:check && npm test && npm run verify:packlist",
     "publish:prepare": "npm run verify:publish && npm pack --dry-run --json",
     "publish:otp": "node ./scripts/publish-with-otp.mjs",
     "publish:next": "node ./scripts/publish-with-otp.mjs --tag next",