Skip to content

docs: add SECURITY.md#5

Merged
belkassaby merged 2 commits into
mainfrom
docs/security-notes
May 20, 2026
Merged

docs: add SECURITY.md#5
belkassaby merged 2 commits into
mainfrom
docs/security-notes

Conversation

@belkassaby

Copy link
Copy Markdown
Owner

Summary

  • New `SECURITY.md` at repo root documenting:
    • Threat model (browser-only; no Node `fs`; no eval; no telemetry; no install scripts).
    • Input-handling surface (the two caller-supplied inputs that affect what gets fetched).
    • Recommended consumer practices (hardcode/allowlist model URL, serve ORT sidecars same-origin, optional integrity check).
    • Build & supply chain (plain `tsc`, sigstore provenance, no install hooks).
    • Known scanner findings on `onnxruntime-web` — structural false positives on minified bundles + WASM.
  • README links to it from a new `## Security` section.

Why

A consumer running npm safety scans on `cellpose-js` saw the `onnxruntime-web` peer dep flagged with `Obfuscated code Supply Chain risk`. The reviewer's note clarified it's likely non-malicious — minified bundles look "obfuscated", and ort-web's caller-controlled URL input is the documented runtime contract. Writing the threat model + scanner-notes section explicitly so anyone running similar scans has a documented answer.

Notes

  • Pure docs change. No `SECURITY.md` previously existed.
  • No code change. No version bump needed; the next patch release will bundle this.

🤖 Generated with Claude Code

belkassaby and others added 2 commits May 15, 2026 13:30
…dings

Documents cellpose-js's threat model (browser-only, no Node fs, no eval, no
telemetry) and the input-handling surface inherited from onnxruntime-web:
caller-supplied modelUrl and wasmPaths. Provides recommended consumer
practices (hardcode or allowlist the model URL, serve ORT sidecars
same-origin, optionally validate model integrity, pin the peer dep).

Also addresses scanner findings on the ort-web peer dep — labels like
"Obfuscated code" and "Supply-chain risk" are structural false positives
on minified bundles + binary WASM, not actual malware behavior.

README now points at SECURITY.md from a new "## Security" section.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@belkassaby belkassaby merged commit c137519 into main May 20, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant