Added
- Release tarballs attached to each GitHub release are now cryptographically signed using GitHub's Sigstore-backed Artifact Attestations. The signing keys are ephemeral OIDC-issued keys generated per build, so no long-lived private signing key exists on either GitHub or the npm registry. Verification is documented in the README under "Security and verification" using
gh attestation verify cve-lite-cli-X.Y.Z.tgz --repo OWASP/cve-lite-cli. - New Governance section in the README documenting the project's governance model, key roles, decision-making process, and dispute-resolution path.
- New Security and verification section in the README explaining how to verify a downloaded release tarball and how to verify the npm-installed copy via
npm audit signatures. - New Coding standards section in CONTRIBUTING.md describing the TypeScript style baseline, naming conventions, comment policy, and the categories of change that get pushed back during review.
Changed
- The Code of Conduct moved from
src/docs/CODE_OF_CONDUCT.mdtoCODE_OF_CONDUCT.mdat the repository root so GitHub auto-detects it on the Community Standards page. The CoC text itself is unchanged. - The contributor guide's testing expectations are now an explicit policy: any new feature, behavior change, or bug fix that affects scan logic, parsing, output, or remediation must be covered by automated unit tests in the same pull request, with practical exceptions called out for documentation-only and genuinely untestable changes.
Validation
- npm test
- npm run build