Security
Supply chain security, provenance, and vulnerability reporting.
Reporting vulnerabilities
If you discover a security issue:
- Do NOT open a public issue
- Email: rajnavakoti@gmail.com with subject “architecture-blocks security”
- Include: description, reproduction steps, and impact assessment
- Expected response time: 48 hours
Supply chain security
- Published packages include npm provenance attestation
- All releases are built by GitHub Actions from the repository
- Verify provenance:
npm audit signatures - Package lockfile (
package-lock.json) committed and used in CI (npm ci)
Dependencies
Minimal runtime dependencies — each one justified:
| Package | Purpose | Why not built-in? |
|---|---|---|
commander | CLI framework | Standard CLI library, battle-tested |
fast-xml-parser | XML parsing | No native deps, faster than alternatives |
yaml | YAML shape definitions | Standard YAML parser |
Automated dependency updates
Dependabot is configured for both npm packages and GitHub Actions, scanning weekly.
Offline operation
This package makes zero network requests at runtime. Everything operates on local files. No analytics, no telemetry, no phone-home.