From 2e720b7166a561bc742e03f2171ccd5641739b6e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Mar 2024 11:28:44 -0400 Subject: [PATCH 1/3] Bump autoprefixer from 10.4.18 to 10.4.19 (#3835) Bumps [autoprefixer](https://github.com/postcss/autoprefixer) from 10.4.18 to 10.4.19. - [Release notes](https://github.com/postcss/autoprefixer/releases) - [Changelog](https://github.com/postcss/autoprefixer/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/autoprefixer/compare/10.4.18...10.4.19) --- updated-dependencies: - dependency-name: autoprefixer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 16 ++++++++-------- package.json | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/package-lock.json b/package-lock.json index 566186e26..70d4bb447 100644 --- a/package-lock.json +++ b/package-lock.json @@ -12,7 +12,7 @@ "@11ty/eleventy": "^2.0.1", "@11ty/eleventy-img": "^3.1.8", "@uswds/uswds": "^3.8.0", - "autoprefixer": "^10.4.18", + "autoprefixer": "^10.4.19", "eleventy-plugin-svg-sprite": "^2.4.2", "esbuild": "^0.19.12", "esbuild-sass-plugin": "^2.16.1", @@ -1873,9 +1873,9 @@ "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==" }, "node_modules/autoprefixer": { - "version": "10.4.18", - "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-10.4.18.tgz", - "integrity": "sha512-1DKbDfsr6KUElM6wg+0zRNkB/Q7WcKYAaK+pzXn+Xqmszm/5Xa9coeNdtP88Vi+dPzZnMjhge8GIV49ZQkDa+g==", + "version": "10.4.19", + "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-10.4.19.tgz", + "integrity": "sha512-BaENR2+zBZ8xXhM4pUaKUxlVdxZ0EZhjvbopwnXmxRUfqDmwSpC2lAi/QXvx7NRdPCo1WKEcEF6mV64si1z4Ew==", "funding": [ { "type": "opencollective", @@ -1892,7 +1892,7 @@ ], "dependencies": { "browserslist": "^4.23.0", - "caniuse-lite": "^1.0.30001591", + "caniuse-lite": "^1.0.30001599", "fraction.js": "^4.3.7", "normalize-range": "^0.1.2", "picocolors": "^1.0.0", @@ -2126,9 +2126,9 @@ } }, "node_modules/caniuse-lite": { - "version": "1.0.30001593", - "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001593.tgz", - "integrity": "sha512-UWM1zlo3cZfkpBysd7AS+z+v007q9G1+fLTUU42rQnY6t2axoogPW/xol6T7juU5EUoOhML4WgBIdG+9yYqAjQ==", + "version": "1.0.30001600", + "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001600.tgz", + "integrity": "sha512-+2S9/2JFhYmYaDpZvo0lKkfvuKIglrx68MwOBqMGHhQsNkLjB5xtc/TGoEPs+MxjSyN/72qer2g97nzR641mOQ==", "funding": [ { "type": "opencollective", diff --git a/package.json b/package.json index a7666a144..090873bab 100644 --- a/package.json +++ b/package.json @@ -22,7 +22,7 @@ "@11ty/eleventy": "^2.0.1", "@11ty/eleventy-img": "^3.1.8", "@uswds/uswds": "^3.8.0", - "autoprefixer": "^10.4.18", + "autoprefixer": "^10.4.19", "eleventy-plugin-svg-sprite": "^2.4.2", "esbuild": "^0.19.12", "esbuild-sass-plugin": "^2.16.1", From 05f4dbb9d52083d070c80a1ace2cf184f2ac9179 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Mar 2024 11:29:05 -0400 Subject: [PATCH 2/3] Bump postcss from 8.4.36 to 8.4.38 (#3834) Bumps [postcss](https://github.com/postcss/postcss) from 8.4.36 to 8.4.38. - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/postcss/compare/8.4.36...8.4.38) --- updated-dependencies: - dependency-name: postcss dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 16 ++++++++-------- package.json | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/package-lock.json b/package-lock.json index 70d4bb447..8b5ccb9aa 100644 --- a/package-lock.json +++ b/package-lock.json @@ -22,7 +22,7 @@ "markdown-it": "^13.0.2", "markdown-it-anchor": "^8.6.7", "markdown-it-attrs": "^4.1.6", - "postcss": "^8.4.36", + "postcss": "^8.4.38", "postcss-cli": "^10.0.0" }, "devDependencies": { @@ -6312,9 +6312,9 @@ } }, "node_modules/postcss": { - "version": "8.4.36", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.36.tgz", - "integrity": "sha512-/n7eumA6ZjFHAsbX30yhHup/IMkOmlmvtEi7P+6RMYf+bGJSUHc3geH4a0NSZxAz/RJfiS9tooCTs9LAVYUZKw==", + "version": "8.4.38", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.38.tgz", + "integrity": "sha512-Wglpdk03BSfXkHoQa3b/oulrotAkwrlLDRSOb9D0bN86FdRyE9lppSp33aHNPgBa0JKCoB+drFLZkQoRRYae5A==", "funding": [ { "type": "opencollective", @@ -6332,7 +6332,7 @@ "dependencies": { "nanoid": "^3.3.7", "picocolors": "^1.0.0", - "source-map-js": "^1.1.0" + "source-map-js": "^1.2.0" }, "engines": { "node": "^10 || ^12 || >=14" @@ -7474,9 +7474,9 @@ } }, "node_modules/source-map-js": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.1.0.tgz", - "integrity": "sha512-9vC2SfsJzlej6MAaMPLu8HiBSHGdRAJ9hVFYN1ibZoNkeanmDmLUcIrj6G9DGL7XMJ54AKg/G75akXl1/izTOw==", + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.0.tgz", + "integrity": "sha512-itJW8lvSA0TXEphiRoawsCksnlf8SyvmFzIhltqAHluXd88pkCd+cXJVHTDwdCr0IzwptSm035IHQktUu1QUMg==", "engines": { "node": ">=0.10.0" } diff --git a/package.json b/package.json index 090873bab..0746a654f 100644 --- a/package.json +++ b/package.json @@ -32,7 +32,7 @@ "markdown-it": "^13.0.2", "markdown-it-anchor": "^8.6.7", "markdown-it-attrs": "^4.1.6", - "postcss": "^8.4.36", + "postcss": "^8.4.38", "postcss-cli": "^10.0.0" }, "devDependencies": { From ae6a6282f31009cb6dccb5e1a3782d69514efd2f Mon Sep 17 00:00:00 2001 From: John Jediny Date: Mon, 25 Mar 2024 11:30:49 -0400 Subject: [PATCH 3/3] Create SECURITY.md (#3818) --- SECURITY.md | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..2c3621761 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,45 @@ +# Security Policy + +As a U.S. Government agency, the General Services Administration (GSA) takes +seriously our responsibility to protect the public's information, including +financial and personal information, from unwarranted disclosure. + +## Reporting a Vulnerability + +Services operated by the U.S. General Services Administration (GSA) +are covered by the **GSA Vulnerability Disclosure Program (VDP)**. + +See the [GSA Vulnerability Disclosure Policy](https://gsa.gov/vulnerability-disclosure-policy) +at for details including: + +* How to submit a report if you believe you have discovered a vulnerability. +* GSA's coordinated disclosure policy. +* Information on how you may conduct security research on GSA developed + software and systems. +* Important legal and policy guidance. + +### [Bug Bounties](https://hackerone.com/gsa_bbp) + +Certain GSA/TTS programs have bug bounties that are not discussed at the above link. If you find security issues for any of the following domains: + +* cloud.gov +* search.gov +* usa.gov +* 18f.gov +* fedramp.gov +* login.gov +* vote.gov + +you should also review the [GSA Bug Bounty program](https://hackerone.com/gsa_bbp) at for a potential bounty. + +## Supported Versions + +Please note that only certain branches are supported with security updates. + +| Version (Branch) | Supported | +| ---------------- | ------------------ | +| main | :white_check_mark: | +| other | :x: | + +When using this code or reporting vulnerabilities please only use supported +versions.