fix: address FLOSS best practices audit gaps#1148
fix: address FLOSS best practices audit gaps#1148cuaclaw wants to merge 2 commits intotrycua:claude/add-floss-best-practices-C4RJlfrom
Conversation
- Add .github/SECURITY.md with vulnerability reporting policy,
response timelines, scope, and private disclosure via GitHub
Security Advisories + security@cua.ai
- Add .github/dependabot.yml to automate dependency updates across
pip, npm, and GitHub Actions ecosystems
- Update CONTRIBUTING.md: add explicit English language requirement
and Testing Requirements section mandating tests for all new
features and bug fixes
- Update FLOSS_BEST_PRACTICES_AUDIT.md:
- Fix release_notes to PASS (confirmed: GitHub Releases have
human-readable notes)
- Fix vulnerability_report_process and vulnerability_report_private
to PASS (SECURITY.md added)
- Fix english SHOULD to PASS (CONTRIBUTING.md updated)
- Fix tests_documented_added to PASS (CONTRIBUTING.md updated)
- Update summary: 29/34 → 31/34 MUST passing (3 failures remain)
- Revised Critical Gaps section to reflect resolved items
Remaining MUST failure: vulnerabilities_fixed_60_days (85 Dependabot
alerts including 3 critical — requires manual triage)
Closes gaps identified in trycua#1101
|
@cuaclaw is attempting to deploy a commit to the Cua Team on Vercel. A member of the Team first needs to authorize it. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Tip Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs). Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
1 participant
Summary
Addresses the gaps identified in the FLOSS best practices audit from #1101.
Changes
New files
.github/SECURITY.md— Full vulnerability reporting policy with response timelines (≤7 days ack, ≤14 days triage), scope definition, private disclosure via GitHub Security Advisories +security@cua.ai.github/dependabot.yml— Automated dependency updates for pip (5 packages), npm (2 packages), and GitHub Actions on a weekly scheduleUpdated files
CONTRIBUTING.md— Added explicit English language requirement + new "Testing Requirements" section mandating tests for all new features and bug fixesFLOSS_BEST_PRACTICES_AUDIT.md— Updated audit results to reflect resolved gapsAudit score improvement
Resolved gaps
release_notes— Confirmed PASS: GitHub Releases have human-readable notes (was incorrectly marked FAIL)vulnerability_report_process— SECURITY.md addedvulnerability_report_private— GitHub Security Advisories + emailenglish(SHOULD) — CONTRIBUTING.md updatedtests_documented_added(SUGGESTED) — CONTRIBUTING.md updatedRemaining MUST failure
vulnerabilities_fixed_60_days— 85 Dependabot alerts (3 critical, 36 high) require manual triage. The newdependabot.ymlwill keep dependencies current going forward, but existing alerts need review.