Explanation: In order to be transparent and allow consumers of the DB to be ready and prepared for changes in the format, we want to communicate those upfront. This issue is an attempt at rehearsing a potential process of communicating these kinds of changes. For details please check out here onward: https://github.com/nodejs/security-wg/issues/200#issuecomment-400105331
We are planning to make the author attribute more verbose and easier machine readable. The format would change from the current format:
"author": "Cal Lemming" // not required
to the new format:
"author": {
"name": "Cal Leeming", // required
"website": null, // optional, can be null
"username": null // optional, can be null
}
The discussion around this can be found in issue https://github.com/nodejs/security-wg/issues/200
The PR proposing the changes is: https://github.com/nodejs/security-wg/pull/314
If you are a consumer of this database and would like to be informed of upcomming changes, please add a comment here and we will reach out to you in the future.
If you have any suggestions or constructive feedback please join the conversation.
The PR unless someone vetos, will be merged on 27.07.2018
LGTM. Also I really like this process!
Definitely. I'd like to go ahead and document this process as well.
Also Twitter / HackerOne / GitHub links (optionally)?
npm's advisory format currently specifies name (descriptor) and url fields which covers all the various situations we've run into historically with nodesecurity data, which was linking to a website, twitter, GitHub, or preferred other location without having to have an extremely complicated schema.
I've considered making that an array to support linking to more locations, but that seems like needless complexity for an advisory.
In the original proposal the idea was:
Name would be a full name, username is as set in the hackerone report, and website as a social reference for the user (will be taken from the hackerone platform).
So there might be cases where the h1 username and the social proof differ. Or hould we just link to the h1 user profile then?
I think it's ok to just have one generic field for the website and it will be used for whatever reference the user preferred.
@lirantal sorry I am confused. Do you mean we keep the current format, or change it to something with only a URL?
eg:
"author": {
"name": "Cal Leeming", // required
"website": null, // optional, can be null
"username": null // optional, can be null
}
to:
"author": {
"name": "Cal Leeming", // required
"website": null, // optional, can be null
}
I vote for keeping the existing format of name (from hackerone), website (whatever the user put in hackerone, or we can try to manually find if it's empty) and username (in hackerone).
My reasoning for this is that reports are not a social platform and we will probably not continue extending it with insta' and others as they pop up. It makes sense to me that given one website link to either twitter/github/medium/linkedin to locate someone is a good enough medium to further contact them and find them in other social platforms as well.
+1 for one generic reference.
I am going ahead and pushing this out today then. Sorry for the delay.