memorio 3.0.0 → 3.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CODE_OF_CONDUCT.md +1 -1
- package/README.md +202 -332
- package/SECURITY.md +48 -3
- package/docs/README.md +202 -332
- package/examples/basic.ts +22 -22
- package/examples/browser-vanilla.html +2 -2
- package/examples/cache.ts +9 -9
- package/examples/idb.ts +8 -8
- package/examples/node-server.ts +39 -39
- package/examples/observer.ts +5 -5
- package/examples/platform.ts +37 -37
- package/examples/react-app.tsx +3 -3
- package/examples/session-advanced.ts +8 -8
- package/examples/state-advanced.ts +10 -10
- package/examples/store-advanced.ts +9 -9
- package/examples/useObserver.tsx +1 -1
- package/index.cjs +27 -26
- package/index.js +25 -26
- package/package.json +3 -3
- package/types/cache.d.ts +1 -1
- package/types/idb.d.ts +1 -1
- package/types/observer.d.ts +1 -1
- package/types/store.d.ts +10 -10
- package/types/useObserver.d.ts +1 -1
package/SECURITY.md
CHANGED
|
@@ -1,3 +1,48 @@
|
|
|
1
|
-
# Security
|
|
2
|
-
|
|
3
|
-
|
|
1
|
+
# Security
|
|
2
|
+
|
|
3
|
+
Memorio follows NIST and NSA security standards at the enterprise level.
|
|
4
|
+
|
|
5
|
+
## Security Standards
|
|
6
|
+
|
|
7
|
+
- **NIST Guidelines**: Follows NIST SP 800-53 security controls and NIST Cybersecurity Framework
|
|
8
|
+
- **NSA Standards**: Defense-grade security practices; considers nation-state level threats in risk assessment
|
|
9
|
+
|
|
10
|
+
## Supply Chain Security
|
|
11
|
+
|
|
12
|
+
- **Socket.dev**: Minimum target score 90%; all alarms must be resolved before release
|
|
13
|
+
- **Dependency Management**: Zero production dependencies (fully dependency-free); dev dependencies audited regularly
|
|
14
|
+
- **Prohibited**: No `eval()` usage, no encrypted/obfuscated code in builds, no hardcoded secrets
|
|
15
|
+
|
|
16
|
+
## Code Security
|
|
17
|
+
|
|
18
|
+
- No hardcoded credentials or API keys
|
|
19
|
+
- Secure random session ID generation (`crypto.randomUUID` → `crypto.getRandomValues` → fallback)
|
|
20
|
+
- Input validation on all public APIs
|
|
21
|
+
- XSS prevention on DevTools data export
|
|
22
|
+
- Property-based access control on global objects (`Object.defineProperty` with `enumerable: false`)
|
|
23
|
+
|
|
24
|
+
## OWASP Compliance
|
|
25
|
+
|
|
26
|
+
Addresses OWASP Top 10 (2021):
|
|
27
|
+
- A01:2021 — Broken Access Control (global object protection, property locks)
|
|
28
|
+
- A02:2021 — Cryptographic Failures (crypto.randomUUID for session IDs)
|
|
29
|
+
- A03:2021 — Injection (CSS sanitization in devtools)
|
|
30
|
+
- A05:2021 — Security Misconfiguration (minimal surface area, no bundled secrets)
|
|
31
|
+
- A06:2021 — Vulnerable and Outdated Components (regular npm audit, Socket.dev)
|
|
32
|
+
- A07:2021 — Identification and Authentication Failures (N/A — library, no auth)
|
|
33
|
+
- A08:2021 — Software and Data Integrity Failures (strict tsconfig, lock files)
|
|
34
|
+
- A09:2021 — Security Logging and Monitoring Failures (DevTools inspect, Logger module)
|
|
35
|
+
- A10:2021 — Server-Side Request Forgery (N/A — no network requests)
|
|
36
|
+
|
|
37
|
+
## Reporting Security Issues
|
|
38
|
+
|
|
39
|
+
If you find a security vulnerability:
|
|
40
|
+
|
|
41
|
+
1. Email [Dario Passariello](mailto:dariopassarielloa@gmail.com)
|
|
42
|
+
2. Or visit https://dario.passariello.ca/contact/
|
|
43
|
+
|
|
44
|
+
Do not open public issues for security vulnerabilities.
|
|
45
|
+
|
|
46
|
+
---
|
|
47
|
+
*Document version: 2.0 — Last updated: 2026-05-19*
|
|
48
|
+
*Owner: BigLogic Security Team*
|