commitment-issues

Miradi inayofuata mazoea bora hapa chini inaweza kujihakikisha kwa hiari na kuonyesha kuwa wamepata nishani ya mazoea bora ya Open Source Security Foundation (OpenSSF).

Hakuna seti ya mazoea yawezayo kuhakikisha kuwa programu haitakuwa na kasoro au udhaifu; hata mbinu rasmi zinaweza kushindwa ikiwa vipimo au dhana ni sahihi. Wala hakuna seti ya mazoea yawezayo kuhakikisha kuwa mradi utaendelea kuwa na jamii ya maendeleo yenye afya na inayofanya kazi vizuri. Hata hivyo, kufuata mazoea bora kunaweza kusaidia kuboresha matokeo ya miradi. Kwa mfano, baadhi ya mazoea huwezesha ukaguzi wa watu wengi kabla ya kutolewa, ambayo inaweza kusaidia kupata udhaifu wa kiufundi ambao vinginevyo ni vigumu kupata na kusaidia kujenga uaminifu na hamu ya mwingiliano wa kurudia kati ya wasanidi programu kutoka makampuni tofauti. Ili kupata nishani, vigezo vyote vya LAZIMA na LAZIMA WALA USIWAHI lazima vifuatwe, vigezo vyote vya INAPASWA lazima vifuatwe AU visivyo fufufutiliana na thibitisho, na vigezo vyote vya PENDEKEZA lazima vifuatwe AU visivyo fufufutiliana (tunataka vifikiwe angalau). Ikiwa unataka kuingiza maandishi ya thibitisho kama maoni ya jumla, badala ya kuwa maelezo ya busara kwamba hali ni inakubaliwa, anza kifungu cha maandishi na '//' ikifuatiwa na nafasi. Maoni ni karibu kupitia tovuti ya GitHub kama masuala au maombi ya kuvuta Kuna pia orodha ya barua pepe kwa majadiliano ya jumla.

Tunafuraha kutoa habari katika lugha nyingi, hata hivyo, ikiwa kuna mgongano au kutokuwa na usawa kati ya tafsiri, toleo la Kiingereza ni toleo lenye mamlaka.
Ikiwa huu ni mradi wako, tafadhali onyesha hadhi ya nishani yako kwenye ukurasa wa mradi wako! Hadhi ya nishani inaonekana kama hii: Kiwango cha nishani kwa mradi 13528 ni passing Hapa ni jinsi ya kuiweka:
Unaweza kuonyesha hali ya nishani yako kwa kuweka hii katika faili yako ya markdown:
[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/13528/badge)](https://www.bestpractices.dev/projects/13528)
au kwa kuweka hii katika HTML yako:
<a href="https://www.bestpractices.dev/projects/13528"><img src="https://www.bestpractices.dev/projects/13528/badge"></a>


Hizi ni vigezo vya kiwango cha Fedha. Unaweza pia kuangalia vigezo vya kiwango cha Kupita au Dhahabu.

Baseline Series: Kiwango cha Msingi 1 Kiwango cha Msingi 2 Kiwango cha Msingi 3

        

 Misingi 16/17

  • Jumla

    Kumbuka kwamba miradi mingine inaweza kutumia jina sawa.

    For developers who overthink every commit. Advisory-first pre-commit and pre-push checks for JavaScript and TypeScript projects using Husky, lint-staged, ESLint, and Prettier. Advisory by default: commitment-issues reports issues without discarding unstaged work, rewriting already-pushed history, or blocking pushes.

    Tafadhali tumia muundo wa maneno ya leseni ya SPDX; mifano ni pamoja na "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "GPL-2.0+", "LGPL-3.0+", "MIT", na "(BSD-2-Clause OR Ruby)". Usitumie alama za nukuu za moja au mbili.
    Ikiwa kuna lugha zaidi ya moja, ziorodhe kama thamani zilizotengwa kwa koma (nafasi ni za hiari) na ziorodhe kuanzia iliyotumiwa zaidi hadi iliyotumiwa kidogo. Ikiwa kuna orodha ndefu, tafadhali orodhesha angalau tatu za kawaida zaidi. Ikiwa hakuna lugha (k.m., huu ni mradi wa nyaraka tu au wa majaribio tu), tumia herufi moja "-". Tafadhali tumia herufi kubwa za kawaida kwa kila lugha, k.m., "JavaScript".
    Common Platform Enumeration (CPE) ni mpango wa kuweka majina yenye muundo kwa mifumo ya teknolojia ya habari, programu, na vifurushi. Inatumika katika mifumo na hifadhidata nyingi wakati wa kuripoti udhaifu.
  • Mahitaji ya awali


    Mradi LAZIMA ufikie nishani ya kiwango cha kuhitimu. [achieve_passing]

  • Maudhui ya kimsingi ya tovuti ya mradi


    Habari juu ya jinsi ya kuchangia LAZIMA ijumuishe mahitaji ya michango inayokubalika (k.m., rejea kwa kiwango chochote kinachohitajika cha msimbo). (URL inahitajika) [contribution_requirements]

    The contributing guide documents requirements for acceptable contributions. Pull requests should include tests for behavior changes and regression tests for bug fixes, stay focused to one logical change, pass npm test, npm run lint, and npm run format:check, update the changelog and documentation for user-visible changes, and follow the project's advisory-first design philosophy. The guide also documents the coding style: Prettier for formatting, ESLint flat config for linting, small composable functions, clear names, and comments only where intent is non-obvious.

    https://github.com/RoryGlenn/commitment-issues/blob/main/.github/CONTRIBUTING.md#contribution-requirements


  • Usimamizi wa mradi


    Mradi UNAPASWA kuwa na utaratibu wa kisheria ambapo wasanidi wote wa kiasi kisicho kidogo cha programu ya mradi wanathibitisha kwamba wameruhusiwa kisheria kufanya michango hii. Mbinu ya kawaida na rahisi ya kutekeleza hii ni kwa kutumia Cheti cha Msanidi cha Asili (DCO), ambapo watumiaji huongeza "signed-off-by" katika ahadi zao na mradi unaunganisha kwenye tovuti ya DCO. Hata hivyo, hii YAWEZA kutekelezwa kama Makubaliano ya Leseni ya Mchangiaji (CLA), au utaratibu mwingine wa kisheria. (URL inahitajika) [dco]
    DCO ni utaratibu unaopendekeza kwa sababu ni rahisi kutekeleza, kufuatilia katika msimbo wa chanzo, na git inasaidia moja kwa moja kipengele cha "signed-off" kwa kutumia "commit -s". Ili kuwa na ufanisi zaidi ni bora ikiwa nyaraka za mradi zinaeleza maana ya "signed-off" kwa mradi huo. CLA ni makubaliano ya kisheria yanayofafanua masharti ambayo kazi za kiakili zimetolewa leseni kwa shirika au mradi. Makubaliano ya mgawo wa mchangiaji (CAA) ni makubaliano ya kisheria yanayohamisha haki katika kazi ya kiakili kwa chama kingine; miradi haihitajiki kuwa na CAA, kwa kuwa kuwa na CAA huongeza hatari kwamba wachangiaji watarajiwa hawatachangia, hasa ikiwa mpokeaji ni shirika la faida. Apache Software Foundation CLAs (leseni ya mchangiaji wa mtu binafsi na CLA ya kampuni) ni mifano ya CLA, kwa miradi ambayo inaamua kwamba hatari za aina hizi za CLA kwa mradi ni chini ya manufaa yao.

    The project uses the Developer Certificate of Origin as its legal contribution authorization mechanism. The DCO text is published in the repository, the contributing guide requires every commit to include a Signed-off-by: trailer using git commit -s, and CI runs a DCO workflow on pull requests to verify sign-offs.

    Evidence:
    https://github.com/RoryGlenn/commitment-issues/blob/main/DCO
    https://github.com/RoryGlenn/commitment-issues/blob/main/.github/CONTRIBUTING.md#developer-certificate-of-origin
    https://github.com/RoryGlenn/commitment-issues/blob/main/.github/workflows/dco.yml



    Mradi LAZIMA ufafanue kwa uwazi na kuandika muundo wake wa utawala wa mradi (njia ya kufanya maamuzi, ikiwa ni pamoja na majukumu muhimu). (URL inahitajika) [governance]
    Kunahitaji kuwa na njia fulani iliyowekwa vyema ya kuandikwa ya kufanya maamuzi na kutatua migogoro. Katika miradi midogo, hii inaweza kuwa rahisi kama "mmiliki wa mradi na kiongozi hufanya maamuzi yote ya mwisho". Kuna miundo mbalimbali ya utawala, ikiwa ni pamoja na dictator wa wema na meritocracy rasmi; kwa maelezo zaidi, angalia Miundo ya utawala. Mbinu zote mbili za kati (k.m., mtunzaji mmoja) na zisizo za kati (k.m., watunzaji wa kikundi) zimetumika kwa mafanikio katika miradi. Habari za utawala hazihitajiki kuandika uwezekano wa kuunda uma wa mradi, kwa kuwa hiyo ni iwezekanavyo kila wakati kwa miradi ya FLOSS.

    The project documents a maintainer-led governance model in GOVERNANCE.md. It explains how decisions are made, maintainer authority, contributor roles, the normal change process, review and merge policy, release process, security decisions, and how governance changes are made.

    Evidence:
    https://github.com/RoryGlenn/commitment-issues/blob/main/GOVERNANCE.md



    Mradi LAZIMA upitishe kanuni ya mwenendo na kuiweka mahali pa kawaida. (URL inahitajika) [code_of_conduct]
    Miradi inaweza kuweza kuboresha uadilifu wa jamii yao na kuweka matarajio kuhusu tabia inayokubalika kwa kupitisha kanuni ya mwenendo. Hii inaweza kusaidia kuepuka matatizo kabla hayajatokea na kufanya mradi kuwa mahali pa kukaribishwa zaidi ili kuhimiza michango. Hii inapaswa kuzingatia tu tabia ndani ya jamii/mahali pa kazi pa mradi. Mifano ya kanuni za mwenendo ni kanuni ya mwenendo ya kernel ya Linux, Kanuni ya Mwenendo ya Agano la Mchangiaji, Kanuni ya Mwenendo ya Debian, Kanuni ya Mwenendo ya Ubuntu, Kanuni ya Mwenendo ya Fedora, Kanuni ya Mwenendo ya GNOME, Kanuni ya Mwenendo ya Jamii ya KDE, Kanuni ya Mwenendo ya Jamii ya Python, Mwongozo wa Mwenendo wa Jamii ya Ruby, na Kanuni ya Mwenendo ya Rust.

    The project has adopted the Contributor Covenant Code of Conduct and posts it in the standard GitHub location: https://github.com/RoryGlenn/commitment-issues/blob/main/.github/CODE_OF_CONDUCT.md



    Mradi LAZIMA ufafanue kwa uwazi na kuandika hadharani majukumu muhimu katika mradi na wajibu wao, ikiwa ni pamoja na kazi zozote ambazo majukumu hayo lazima yafanywe. Lazima iwe wazi ni nani ana jukumu lipi, ingawa hii haiwezi kuandikwa kwa njia ile ile. (URL inahitajika) [roles_responsibilities]
    Nyaraka kwa utawala na majukumu na wajibu zinaweza kuwa mahali pamoja.

    The project documents key roles and responsibilities in docs/project-roles.md. The document identifies the current project member, sensitive-resource access, and responsibilities for the Maintainer, Release manager, Security contact, and Contributor roles.

    Evidence:
    https://github.com/RoryGlenn/commitment-issues/blob/main/docs/project-roles.md



    Mradi LAZIMA uweze kuendelea kwa usumbufu mdogo ikiwa mtu yeyote anakufa, anakuwa katika hali ya kudhoofika, au vinginevyo hawezi au hataki kuendelea kusaidia mradi. Hasa, mradi LAZIMA uweze kuunda na kufunga masuala, kukubali mabadiliko yaliyopendekezwa, na kutoa matoleo ya programu, ndani ya wiki moja ya uthibitishaji wa upotevu wa msaada kutoka kwa mtu yeyote mmoja. Hii INAWEZA kufanywa kwa kuhakikisha mtu mwingine ana funguo zozote zinazohitajika, nywila, na haki za kisheria ili kuendelea mradi. Watu binafsi wanaoendesha mradi wa FLOSS WANAWEZA kufanya hii kwa kuweka funguo katika sanduku la kufungia na wosia unaowezesha haki zozote zinazohitajika za kisheria (k.m., kwa majina ya DNS). (URL inahitajika) [access_continuity]

    The project does not yet fully satisfy this criterion.

    The repository documents project roles and sensitive-resource access, but the current access list identifies only one maintainer/release manager/security contact with GitHub repository administration, GitHub Actions, GitHub Security Advisories, npm package publishing, release creation, and dependency/security settings access.

    The repository also currently lists only one default code owner for all files. Because no second maintainer, emergency successor, lockbox process, or equivalent access-continuity arrangement is publicly documented yet, the project has not shown that issues could be created/closed, proposed changes accepted, and releases published within one week if the current maintainer became unavailable.

    Current evidence:
    https://github.com/RoryGlenn/commitment-issues/blob/main/docs/project-roles.md
    https://github.com/RoryGlenn/commitment-issues/blob/main/.github/CODEOWNERS



    Mradi INAPASWA kuwa na "bus factor" ya 2 au zaidi. (URL inahitajika) [bus_factor]
    "Bus factor" (pia inajulikana kama "truck factor") ni idadi ya chini ya washiriki wa mradi ambao wanapaswa kutoweka ghafla kutoka kwenye mradi ("kupigwa na basi") kabla ya mradi kusimama kwa sababu ya ukosefu wa wafanyakazi wenye elimu au wenye uwezo. Zana ya truck-factor inaweza kukadiria hii kwa miradi kwenye GitHub. Kwa maelezo zaidi, angalia Kutathmini Bus Factor ya Hifadhi za Git na Cosentino et al.

    The project does not currently have a bus factor of 2 or more. The repository currently lists only one default code owner, @RoryGlenn, for all files, so the project does not yet show that at least two people can continue key project maintenance if one person becomes unavailable. Current evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/.github/CODEOWNERS


  • Nyaraka


    Mradi LAZIMA uwe na ramani ya barabara iliyoandikwa inayoeleza kile mradi unakusudia kufanya na kutofanya kwa angalau mwaka unaofuata. (URL inahitajika) [documentation_roadmap]
    Mradi huenda usitimiza ramani ya barabara, na hiyo ni sawa; kusudi la ramani ya barabara ni kusaidia watumiaji na wachangiaji watarajiwa kuelewa mwelekeo unaokusudiwa wa mradi. Haihitaji kuwa na maelezo mengi.

    The project has a public one-year roadmap. It describes what the project intends to do over the next 12 months, including maintenance, compatibility, security and release practices, testing, documentation, onboarding, and feature direction. It also documents explicit non-goals.

    Evidence:
    https://github.com/RoryGlenn/commitment-issues/blob/main/ROADMAP.md



    Mradi LAZIMA ujumuishe nyaraka za muundo (pia inajulikana kama muundo wa kiwango cha juu) wa programu inayozalishwa na mradi. Ikiwa mradi hauzalishi programu, chagua "haihusiki" (N/A). (URL inahitajika) [documentation_architecture]
    Muundo wa programu unaeleza miundo ya msingi ya programu, yaani, vipengele vikuu vya programu, uhusiano kati yao, na mali muhimu za vipengele na uhusiano hivi.

    The project documents its high-level architecture and public interface through the contributing guide and external interface reference. The contributing guide describes the project layout, including entry-point scripts, shared helper modules, tests, docs, and CI workflows. The external interface reference documents CLI commands, init-added scripts, Git hook entrypoints, configuration keys/defaults, output behavior, and exit behavior. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/.github/CONTRIBUTING.md#project-layout and https://github.com/RoryGlenn/commitment-issues/blob/main/docs/external-interface.md



    Mradi LAZIMA uandike kile mtumiaji anaweza na asiweze kutarajia kwa suala la usalama kutoka kwa programu inayozalishwa na mradi ("mahitaji yake ya usalama"). (URL inahitajika) [documentation_security]
    Haya ni mahitaji ya usalama ambayo programu inakusudiwa kukidhi.

    The project documents what users can and cannot expect in terms of security. The security review documents the security boundary: commitment-issues runs locally, shells out to local tools, reads local Git/files, does not expose a network service, and does not transmit repository content. The README also documents the no-telemetry/no-phone-home posture. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/docs/security-review-2026-07.md and https://github.com/RoryGlenn/commitment-issues#privacy.



    Mradi LAZIMA utoe mwongozo wa "kuanza haraka" kwa watumiaji wapya kuwasaidia kufanya kitu haraka na programu. (URL inahitajika) [documentation_quick_start]
    Wazo ni kuonyesha watumiaji jinsi ya kuanza na kufanya programu ifanye chochote. Hii ni muhimu sana kwa watumiaji watarajiwa kuanza.

    The README provides a Quickstart guide for new users, including install, initialization, normal commit workflow, fix commands, and push behavior. Evidence is here: https://github.com/RoryGlenn/commitment-issues#quickstart.



    Mradi LAZIMA ufanye jitihada ya kuweka nyaraka kulingana na toleo la sasa la matokeo ya mradi (ikiwa ni pamoja na programu inayozalishwa na mradi). Kasoro yoyote inayojulikana ya nyaraka inayofanya isilingane LAZIMA irekebishwe. Ikiwa nyaraka kwa ujumla ni za sasa, lakini kwa makosa inajumuisha baadhi ya maelezo ya zamani ambayo sio ya kweli tena, ichukue tu kama kasoro, kisha ifuatilie na urekebishe kama kawaida. [documentation_current]
    Nyaraka ZINAWEZA kujumuisha habari kuhusu tofauti au mabadiliko kati ya matoleo ya programu na/au kuunganisha kwa matoleo ya zamani ya nyaraka. Kusudi la kigezo hiki ni kwamba jitihada inafanywa ili kuweka nyaraka kulingana, siyo kwamba nyaraka lazima ziwe kamili.

    The project makes an effort to keep documentation consistent with the current version. The contribution guide requires user-visible behavior changes to update CHANGELOG.md and docs, and the pull request process requires contributors to explain testing and update docs where behavior changes. Recent release notes also show documentation updates tracked alongside behavior and release changes. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/.github/CONTRIBUTING.md, https://github.com/RoryGlenn/commitment-issues/blob/main/.github/PULL_REQUEST_TEMPLATE.md, and https://github.com/RoryGlenn/commitment-issues/blob/main/CHANGELOG.md.



    Ukurasa wa mbele wa hifadhi ya mradi na/au tovuti LAZIMA utambulishe na kuunganisha kiungo kwa mafanikio yoyote, ikiwa ni pamoja na nishani hii ya mazoea bora, ndani ya masaa 48 ya kutambua hadharani kwamba ufanikio umepatikana. (URL inahitajika) [documentation_achievements]
    Ufanikio ni seti yoyote ya vigezo vya nje ambavyo mradi umefanya kazi mahususi kukidhi, ikiwa ni pamoja na nishani fulani. Habari hii haihitaji kuwa kwenye ukurasa wa mbele wa tovuti ya mradi. Mradi unaotumia GitHub unaweza kuweka mafanikio kwenye ukurasa wa mbele wa hifadhi kwa kuyaongeza kwenye faili ya README.

    The repository front page identifies and links project achievements, including CI, coverage, OpenSSF Scorecard, OpenSSF Best Practices, npm version, Node version, and license badges. The Best Practices badge is linked from the README front page here: https://github.com/RoryGlenn/commitment-issues#readme.


  • Ufikiaji na kimataifa


    Mradi (tovuti zote za mradi na matokeo ya mradi) INAPASWA kufuata mazoea bora ya ufikiaji ili watu wenye ulemavu bado waweze kushiriki katika mradi na kutumia matokeo ya mradi ambapo ni busara kufanya hivyo. [accessibility_best_practices]
    Kwa programu za wavuti, angalia Miongozo ya Ufikiaji wa Maudhui ya Wavuti (WCAG 2.0) na hati yake inayosaidia Kuelewa WCAG 2.0; angalia pia habari za ufikiaji za W3C. Kwa programu za GUI, zingatia kutumia miongozo ya ufikiaji ya mazingira maalum (kama vile Gnome, KDE, XFCE, Android, iOS, Mac, na Windows). Baadhi ya programu za TUI (k.m., programu za `ncurses`) zinaweza kufanya mambo fulani ili kuzifanya kufikika zaidi (kama mpangilio wa `force-arrow-cursor` wa `alpine`). Programu nyingi za mstari wa amri zinafikika vizuri kama zilivyo. Kigezo hiki mara nyingi ni N/A, k.m., kwa maktaba za programu. Hapa kuna baadhi ya mifano ya hatua za kuchukua au masuala ya kuzingatia:
    • Toa mbadala za maandishi kwa maudhui yoyote yasiyo ya maandishi ili yaweze kubadilishwa kuwa aina nyingine watu wanahitaji, kama vile chapa kubwa, braille, hotuba, alama au lugha rahisi zaidi ( mwongozo wa WCAG 2.0 1.1)
    • Rangi haitumiwi kama njia pekee ya kuona ya kuwasilisha habari, kuashiria kitendo, kuchochea jibu, au kutofautisha kipengele cha kuona. ( mwongozo wa WCAG 2.0 1.4.1)
    • Uwasilishaji wa kuona wa maandishi na picha za maandishi una uwiano wa tofauti wa angalau 4.5:1, isipokuwa kwa maandishi makubwa, maandishi ya bahati mbaya, na nembo ( mwongozo wa WCAG 2.0 1.4.3)
    • Fanya kazi zote zipatikane kutoka kwenye kibodi (mwongozo wa WCAG 2.1)
    • Mradi wa GUI au wa wavuti INAPASWA kupima na angalau kipaza sauti kimoja cha skrini kwenye jukwaa la lengo (k.m., NVDA, Jaws, au WindowEyes kwenye Windows; VoiceOver kwenye Mac & iOS; Orca kwenye Linux/BSD; TalkBack kwenye Android). Programu za TUI ZINAWEZA kufanya kazi kupunguza uchanganyiko wa ziada ili kuzuia usomaji wa ziada na vipaza sauti vya skrini.

    The project makes a reasonable accessibility effort by using standard GitHub Markdown documentation, text-based CLI output, and descriptive alt text for README screenshots. The README's visual examples include alt text describing what each screenshot shows. Evidence is here: https://github.com/RoryGlenn/commitment-issues#what-it-looks-like.



    Programu iliyozalishwa na mradi INAPASWA kuwa kimataifa ili kuwezesha upatanifu wa lugha wa rahisi kwa utamaduni, eneo, au lugha ya hadhira lengo. Ikiwa kimataifa (i18n) haihusiki (k.m., programu haizalishi maandishi yanayokusudiwa kwa watumiaji wa mwisho na haipangi maandishi yanayosomeka na binadamu), chagua "haihusiki" (N/A). [internationalization]
    Upatanifu wa lugha "unarejelea upatanifu wa bidhaa, programu au maudhui ya hati ili kukidhi lugha, utamaduni na mahitaji mengine ya soko mahususi la lengo (eneo)." Kimataifa ni "muundo na maendeleo ya bidhaa, programu au maudhui ya hati ambayo huwezesha upatanifu wa lugha wa rahisi kwa hadhira lengo zinazotofautiana katika utamaduni, eneo, au lugha." (Ona "Upatanifu wa Lugha dhidi ya Kimataifa" ya W3C.) Programu inakidhi kigezo hiki kwa kuwa kimataifa tu. Hakuna upatanifu wa lugha kwa lugha nyingine mahususi unaohitajika, kwa kuwa mara tu programu imekuwa kimataifa inawezekana kwa wengine kufanya kazi kwenye upatanifu wa lugha.

    The software produces end-user-facing English CLI output, but it does not yet appear to provide an internationalization/localization mechanism for translating messages into other languages or adapting output for other locales. Current user-facing documentation and CLI behavior are documented here: https://github.com/RoryGlenn/commitment-issues#readme and https://github.com/RoryGlenn/commitment-issues/blob/main/docs/external-interface.md.


  • Mengine


    Ikiwa tovuti za mradi (tovuti, hifadhi, na URL za kupakua) zinahifadhi nywila kwa ajili ya uthibitishaji wa watumiaji wa nje, nywila LAZIMA zihifadhiwe kama mificho iliyorudiwa na chumvi kwa-mtumiaji kwa kutumia kanuni ya upanuaji (iliyorudiarudia) wa funguo (k.m., Argon2id, Bcrypt, Scrypt, au PBKDF2). Ikiwa tovuti za mradi hazihifadhi nywila kwa kusudi hili, chagua "haihusiki" (N/A). [sites_password_security]
    Kumbuka kwamba matumizi ya GitHub yanakidhi kigezo hiki. Kigezo hiki kinatumika tu kwa nywila zinazotumika kwa ajili ya uthibitishaji wa watumiaji wa nje kwenye tovuti za mradi (pia inaitwa uthibitishaji wa ndani). Ikiwa tovuti za mradi lazima ziingie kwenye tovuti zingine (pia inaitwa uthibitishaji wa nje), zinaweza kuhitaji kuhifadhi ishara za uidhinishaji kwa kusudi hilo kwa njia tofauti (kwa kuwa kuhifadhi mficho hakuna maana). Hii inatumia kigezo cha crypto_password_storage kwa tovuti za mradi, sawa na sites_https.

    N/A. The project sites are hosted by GitHub and npm, and the project itself does not store passwords for authentication of external users. The software also does not expose a network service, does not provide its own user-authentication system, and does not transmit repository data. Evidence is here: https://github.com/RoryGlenn/commitment-issues#privacy and https://github.com/RoryGlenn/commitment-issues/blob/main/docs/security-review-2026-07.md.


 Udhibiti wa Mabadiliko 1/1

  • Matoleo ya awali


    Mradi LAZIMA utunze matoleo ya zamani yaliyotumika mara nyingi ya bidhaa au kutoa njia ya usasishaji kwa matoleo mapya. Ikiwa njia ya usasishaji ni ngumu, mradi LAZIMA uandike jinsi ya kufanya usasishaji (k.m., violesura vilivyobadilika na hatua zilizoanishwa kwa undani ili kusaidia usasishaji). [maintenance_or_update]

    The project provides an upgrade path to newer versions. The security policy states that security fixes are released against the latest published npm version and recommends using the most recent 3.x release. The migration guide documents the upgrade path from commitment-issues 2.x to 3.x, including the interface changes from husky/lint-staged wiring to plain .git/hooks, detailed install/init commands, expected file changes, and follow-up checks after migration. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/.github/SECURITY.md#supported-versions and https://github.com/RoryGlenn/commitment-issues/blob/main/docs/migration.md.


 Kuripoti 3/3

  • Mchakato wa kuripoti hitilafu


    Mradi LAZIMA utumie kifuatiliaji cha masuala kwa ajili ya kufuatilia masuala ya mtu binafsi. [report_tracker]

    The project uses GitHub Issues as its public issue tracker for individual bug reports, feature requests, and questions. The README directs users to GitHub Issues for bugs, feature requests, and questions, and package metadata lists the GitHub Issues URL as the bug-reporting location.

    https://github.com/RoryGlenn/commitment-issues/issues


  • Mchakato wa kuripoti udhaifu


    Mradi LAZIMA utoe sifa kwa waripoti wa ripoti zote za udhaifu zilizotatuliwa katika miezi 12 iliyopita, isipokuwa kwa waripoti wanaoomba kutojulikana. Ikiwa hakuna udhaifu uliotatuliwa katika miezi 12 iliyopita, chagua "haihusiki" (N/A). (URL inahitajika) [vulnerability_report_credit]

    N/A. There have been no vulnerabilities resolved in the last 12 months, so there are no vulnerability reporters to credit. The project documents that reporters will be credited in release notes if they wish when a vulnerability is fixed. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/.github/SECURITY.md and https://github.com/RoryGlenn/commitment-issues/blob/main/CHANGELOG.md.



    Mradi LAZIMA uwe na mchakato ulioandikwa kwa ajili ya kujibu ripoti za udhaifu. (URL inahitajika) [vulnerability_response_process]
    Hii ina uhusiano mkubwa na vulnerability_report_process, ambayo inahitaji kuwa kuna njia iliyoandikwa ya kuripoti udhaifu. Pia inahusiana na vulnerability_report_response, ambayo inahitaji majibu kwa ripoti za udhaifu ndani ya kipindi fulani cha muda.

    The project documents its process for responding to vulnerability reports in SECURITY.md. It tells reporters to use GitHub private vulnerability reporting, explains what information to include, says reports will be acknowledged and investigated, says reporters will be kept informed of progress, and says a new release and GitHub Security Advisory will be published where appropriate. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/.github/SECURITY.md.


 Ubora 19/19

  • Viwango vya msimbo


    Mradi LAZIMA utambulishe miongozo mahususi ya mtindo wa kuandika msimbo kwa lugha kuu inazotumia, na uhitaji kwamba michango kwa ujumla ikidhi. (URL inahitajika) [coding_standards]
    Katika hali nyingi hii inafanywa kwa kurejelea baadhi ya miongozo ya mtindo iliyopo, huenda ikiorodhesha tofauti. Miongozo hii ya mtindo inaweza kujumuisha njia za kuboresha usomaji na njia za kupunguza uwezekano wa kasoro (ikiwa ni pamoja na udhaifu). Lugha nyingi za programu zina miongozo moja au zaidi ya mtindo inayotumika sana. Mifano ya miongozo ya mtindo ni pamoja na miongozo ya mtindo ya Google na Viwango vya Kuandika Msimbo wa SEI CERT.

    The project identifies coding standards for its primary JavaScript/Node.js codebase in the contributing guide. It requires formatting with Prettier, linting with ESLint flat config, small composable functions, clear names, and comments only where intent is non-obvious. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/.github/CONTRIBUTING.md#coding-style.



    Mradi LAZIMA utekeleze kiotomatiki mtindo wake wa kuandika msimbo uliochaguliwa ikiwa kuna angalau zana moja ya FLOSS inayoweza kufanya hivyo katika lugha zilizochaguliwa. [coding_standards_enforced]
    Hii INAWEZA kutekelezwa kwa kutumia zana za uchambuzi mkako na/au kwa kulazimisha msimbo kupitia vifaa vya kurekebisha msimbo. Katika hali nyingi usanidi wa zana umejumuishwa katika hifadhi ya mradi (kwa kuwa miradi tofauti inaweza kuchagua usanidi tofauti). Miradi INAWEZA kuruhusu vighairi vya mtindo (na kwa kawaida itaruhusu); ambapo vighairi vinatokea, LAZIMA viwe nadra na viandikwe katika msimbo katika maeneo yao, ili vighairi hivi viweze kukaguliwa na ili zana ziweze kuzishughulikia kiotomatiki baadaye. Mifano ya zana kama hizo ni pamoja na ESLint (JavaScript), Rubocop (Ruby), na devtools check (R).

    The project automatically enforces its selected coding standards with FLOSS tools. Formatting is checked with Prettier via npm run format:check, and linting is checked with ESLint via npm run lint. CI runs both checks automatically on pushes and pull requests. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/package.json and https://github.com/RoryGlenn/commitment-issues/blob/main/.github/workflows/ci.yml.


  • Mfumo wa ujenzi unaofanya kazi


    Mifumo ya kujenga kwa binari za asili LAZIMA iheshimu vigezo (vya mazingira) vya mkusanyaji na vya kiunganishi vilivyopitishwa kwao (k.m., CC, CFLAGS, CXX, CXXFLAGS, na LDFLAGS) na kuvipitisha kwenye viito vya mkusanyaji na vya kiunganishi. Mfumo wa kujenga UNAWEZA kuvipanua na bendera za ziada; LAZIMA USIBADILISHE thamani zilizotolewa na zake mwenyewe. Ikiwa hakuna binari za asili zinazozalishwa, chagua "haihusiki" (N/A). [build_standard_variables]
    Inapaswa kuwa rahisi kuwezesha vipengele maalum vya kujenga kama Address Sanitizer (ASAN), au kutii mazoea bora ya ugumu wa usambazaji (k.m., kwa kuwezesha kwa urahisi bendera za mkusanyaji kufanya hivyo).

    N/A. The project does not build native binaries and does not have a native compiler/linker build system, so compiler and linker environment variables such as CC, CFLAGS, CXX, CXXFLAGS, and LDFLAGS are not applicable. commitment-issues is a pure ESM JavaScript package with no build step. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/.github/CONTRIBUTING.md#project-layout.



    Mfumo wa kujenga na usakinishaji UNAPASWA kuhifadhi taarifa za utatuzi ikiwa zimeombwa katika bendera husika (k.m., "install -s" haitumiwa). Ikiwa hakuna mfumo wa kujenga au usakinishaji (k.m., maktaba za kawaida za JavaScript), chagua "haihusiki" (N/A). [build_preserve_debug]
    K.m., kuweka CFLAGS (C) au CXXFLAGS (C++) inapaswa kuunda taarifa husika za utatuzi ikiwa lugha hizo zinatumika, na hazipaswi kuondolewa wakati wa usakinishaji. Taarifa za utatuzi zinahitajika kwa msaada na uchambuzi, na pia ni muhimu kwa kupima uwepo wa vipengele vya ugumu katika binari zilizokusanywa.

    N/A. The project has no native build or installation system that strips or preserves debugging information. commitment-issues is a typical JavaScript/Node.js package using pure ESM source files directly, with no build step, no native binaries, and no compiled debug symbols. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/.github/CONTRIBUTING.md#project-layout.



    Mfumo wa kujenga kwa programu iliyozalishwa na mradi LAZIMA USIJENGA kwa njia ya kujirudia saraka ndogo ikiwa kuna utegemezi wa kukatana katika saraka ndogo. Ikiwa hakuna mfumo wa kujenga au usakinishaji (k.m., maktaba za kawaida za JavaScript), chagua "haihusiki" (N/A). [build_non_recursive]
    Taarifa ya utegemezi wa ndani ya mfumo wa kujenga wa mradi inahitaji kuwa sahihi, vinginevyo, mabadiliko ya mradi huenda yasijenge vizuri. Mijengo isiyo sahihi inaweza kusababisha kasoro (ikiwa ni pamoja na udhaifu). Kosa la kawaida katika mifumo mikubwa ya kujenga ni kutumia "ujenzi wa kujirudia" au "make ya kujirudia", yaani, mlingano wa saraka ndogo zinazojumuisha faili za chanzo, ambapo kila saraka ndogo inajengwa kwa uhuru. Isipokuwa kila saraka ndogo ni huru kabisa, hii ni kosa, kwa sababu taarifa ya utegemezi si sahihi.

    N/A. The project has no build system that recursively builds subdirectories and no native build output. commitment-issues is a pure ESM JavaScript package with no build step or runtime transpilation. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/.github/CONTRIBUTING.md#project-layout.



    Mradi LAZIMA uweze kurudia mchakato wa kuzalisha taarifa kutoka faili za chanzo na kupata matokeo sawa ya biti-kwa-biti. Ikiwa hakuna ujenzi unaofanyika (k.m., lugha za uandishi ambapo msimbo wa chanzo unatumika moja kwa moja badala ya kukusanywa), chagua "haihusiki" (N/A). [build_repeatable]
    Watumiaji wa GCC na clang wanaweza kupata chaguo la -frandom-seed kuwa na manufaa; katika hali fulani, hii inaweza kutatuliwa kwa kulazimisha aina fulani ya mpangilio. Mapendekezo zaidi yanaweza kupatikana kwenye tovuti ya ujenzi unaorudiwa.

    N/A. No building occurs for normal use because the project is a scripting-language package where source files are used directly instead of being compiled. commitment-issues is a pure ESM JavaScript package with no build step or runtime transpilation. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/.github/CONTRIBUTING.md#project-layout.


  • Mfumo wa usakinishaji


    Mradi LAZIMA utoe njia ya kusakinisha na kuondoa kwa urahisi programu iliyozalishwa na mradi kwa kutumia mkataba unaotumika sana. [installation_common]
    Mifano ni pamoja na kutumia meneja wa kifurushi (kwa mfumo au kiwango cha lugha), "make install/uninstall" (inasaidia DESTDIR), chombo katika muundo wa kawaida, au picha ya mashine pepe katika muundo wa kawaida. Mchakato wa usakinishaji na uondoaji (k.m., kifurushi chake) UNAWEZA kutekelezwa na mtu wa tatu mradi tu ni FLOSS.

    The project provides a common installation and removal path using npm. Users install it with npm install -D commitment-issues eslint prettier, initialize it with npx commitment-issues init, and can remove it with npm remove commitment-issues plus the documented manual cleanup steps. Evidence is here: https://github.com/RoryGlenn/commitment-issues#quickstart and https://github.com/RoryGlenn/commitment-issues/blob/main/docs/faq.md#how-do-i-remove-it.



    Mfumo wa usakinishaji kwa watumiaji wa mwisho LAZIMA uheshimu mkataba wa kawaida kwa kuchagua eneo ambapo vitu vilivyojengwa vinaandikwa kwa wakati wa usakinishaji. Kwa mfano, ikiwa inasakinisha faili kwenye mfumo wa POSIX lazima iheshimu kigezo cha mazingira cha DESTDIR. Ikiwa hakuna mfumo wa usakinishaji au hakuna mkataba wa kawaida, chagua "haihusiki" (N/A). [installation_standard_variables]

    N/A. The project uses npm as its installation system and does not install built artifacts using a custom native installer or POSIX-style install process. There is no project-specific installation location variable such as DESTDIR to honor. Evidence is here: https://github.com/RoryGlenn/commitment-issues#quickstart and https://github.com/RoryGlenn/commitment-issues/blob/main/.github/CONTRIBUTING.md#project-layout.



    Mradi LAZIMA utoe njia kwa wasanidi programu wanaoweza kusakinisha haraka matokeo yote ya mradi na mazingira ya msaada yanayohitajika kufanya mabadiliko, ikiwa ni pamoja na majaribio na mazingira ya majaribio. Hii LAZIMA ifanywe kwa kutumia mkataba unaotumika sana. [installation_development_quick]
    Hii INAWEZA kutekelezwa kwa kutumia chombo kilichozalishwa na/au hati za usakinishaji. Utegemezi wa nje kwa kawaida utasakinishwa kwa kuita mfumo na/au meneja wa kifurushi cha lugha, kwa external_dependencies.

    The project provides a quick, common development setup using git and npm. Potential developers can fork and clone the repository, run npm install, then verify the development/test environment with npm test, npm run lint, and npm run format:check. The contributing guide also documents how to run the full test suite and individual test files. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/.github/CONTRIBUTING.md#getting-started.


  • Vipengee vilivyotunzwa nje


    Mradi LAZIMA uorodheshe utegemezi wa nje kwa njia inayoweza kuchakatwa na kompyuta. (URL inahitajika) [external_dependencies]
    Kwa kawaida hii inafanywa kwa kutumia mkataba wa meneja wa kifurushi na/au mfumo wa ujenzi. Kumbuka kwamba hii inasaidia kutekeleza installation_development_quick.

    The project lists external dependencies in computer-processable npm metadata. package.json declares runtime dependencies, development dependencies, peer dependencies, and the supported Node engine, while package-lock.json records resolved dependency versions, integrity hashes, licenses, and transitive dependency metadata. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/package.json and https://github.com/RoryGlenn/commitment-issues/blob/main/package-lock.json.



    Miradi LAZIMA ifuatilie au kwa muda mrefu iangalie utegemezi wao wa nje (ikiwa ni pamoja na nakala za urahisi) kugundua udhaifu unaojulikana, na kurekebisha udhaifu unaoweza kutumiwa vibaya au kuthibitisha kuwa hauwezi kutumiwa vibaya. [dependency_monitoring]
    Hii inaweza kufanywa kwa kutumia zana ya kichambua chanzo / zana ya kuangalia utegemezi / zana ya uchambuzi wa muundo wa programu kama OWASP's Dependency-Check, Sonatype's Nexus Auditor, Synopsys' Black Duck Software Composition Analysis, na Bundler-audit (kwa Ruby). Baadhi ya waendesha kifurushi wanajumuisha taratibu za kufanya hii. Ni kubaliwa ikiwa udhaifu wa vipengele hauwezi kutumiwa vibaya, lakini uchambuzi huu ni mgumu na wakati mwingine ni rahisi kusasisha au kurekebisha sehemu.

    The project makes reused externally maintained components easy to identify and update through standard npm metadata and Dependabot. Dependencies are listed in package.json and locked in package-lock.json, and Dependabot is configured to open update pull requests for both npm packages and GitHub Actions. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/package.json, https://github.com/RoryGlenn/commitment-issues/blob/main/package-lock.json, and https://github.com/RoryGlenn/commitment-issues/blob/main/.github/dependabot.yml.



    Mradi LAZIMA au:
    1. fanya iwe rahisi kutambua na kusasisha vipengele vinavyotumiwa tena vilivyotunzwa nje; au
    2. tumia vipengele vya kawaida vinavyotolewa na mfumo au lugha ya programu.
    Kisha, ikiwa udhaifu unapatikana katika kipengele kilichotumiwa tena, itakuwa rahisi kusasisha kipengele hicho. [updateable_reused_components]
    Njia ya kawaida ya kutimiza kigezo hiki ni kutumia mifumo ya usimamizi wa kifurushi ya mfumo na lugha ya programu. Programu nyingi za FLOSS zinasambazwa na "maktaba za urahisi" ambazo ni nakala za ndani za maktaba za kawaida (labda zilizoachana). Kwa yenyewe, hiyo ni sawa. Hata hivyo, ikiwa programu *lazima* itumie nakala hizi za ndani (zilizoachanishwa), basi kusasisha maktaba za "kawaida" kama sasisho la usalama litaacha nakala hizi za ziada bado zenye udhaifu. Hii ni suala hasa kwa mifumo ya wingu; ikiwa mtoa huduma ya wingu anasasisha maktaba zao za "kawaida" lakini programu haitazitumia, basi masasisho hayasaidii kweli. Angalia, k.m., "Chromium: Kwa nini bado haiko katika Fedora kama kifurushi sahihi" na Tom Callaway.

    The project makes reused externally maintained components easy to identify and update through standard npm metadata and Dependabot. Dependencies are listed in package.json and locked in package-lock.json, and Dependabot is configured to open update pull requests for both npm packages and GitHub Actions. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/package.json, https://github.com/RoryGlenn/commitment-issues/blob/main/package-lock.json, and https://github.com/RoryGlenn/commitment-issues/blob/main/.github/dependabot.yml.



    Mradi UNAPASWA kuepuka kutumia vitendakazi na API zilizokubaliwa kuwa hazitumiki tena au zilizopitwa na wakati ambapo mbadala wa FLOSS zinapatikana katika seti ya teknolojia inayotumia ("kifurushi cha teknolojia" yake) na kwa wengi wa watumiaji ambao mradi unasaidia (ili watumiaji wawe na ufikiaji wa haraka wa mbadala). [interfaces_current]

    The project avoids deprecated or obsolete APIs where practical by targeting current Node.js runtime behavior, using pure ESM source files directly, and replacing older husky/lint-staged-based hook wiring with native .git/hooks wiring in version 3.x. The migration guide documents the move away from older hook-manager wiring and the supported current approach. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/docs/migration.md and https://github.com/RoryGlenn/commitment-issues/blob/main/.github/CONTRIBUTING.md#project-layout.


  • Seti ya majaribio otomatiki


    Seti ya majaribio ya kiotomatiki LAZIMA itumike kwenye kila ukaguzi wa kuingia kwenye hifadhi iliyoshirikiwa kwa angalau tawi moja. Seti hii ya majaribio LAZIMA itoe ripoti ya mafanikio au kushindwa kwa majaribio. [automated_integration_testing]
    Mahitaji haya yanaweza kuonekana kama sehemu ndogo ya test_continuous_integration, lakini yanazingatia majaribio tu, bila kuhitaji uunganisho wa kuendelea.

    The project applies an automated test suite on each check-in to the shared repository through GitHub Actions. The CI workflow runs on pushes to main and pull requests, and it reports success or failure for linting, formatting, automated tests, package lifecycle smoke tests, coverage, and package-manager smoke tests. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/.github/workflows/ci.yml.



    Mradi LAZIMA uongeze majaribio ya kurudi nyuma kwa seti ya majaribio ya kiotomatiki kwa angalau 50% ya hitilafu zilizorekebisha ndani ya miezi sita iliyopita. [regression_tests_added50]

    The project has evidence that regression tests are added for recent bug fixes. Recent repo-wide fixes included hook health reporting, init/lint-staged migration behavior, pre-push path handling, and blocking pre-push diff-failure behavior, with related init, doctor, prepush, path, and scenario-coverage tests added or updated. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/docs/scenario-coverage.md and https://github.com/RoryGlenn/commitment-issues/blob/main/CHANGELOG.md.



    Mradi LAZIMA uwe na seti ya majaribio ya kiotomatiki ya FLOSS inayotoa angalau 80% ya usakinishaji wa taarifa ikiwa kuna angalau zana moja ya FLOSS inayoweza kupima kigezo hiki katika lugha iliyochaguliwa. [test_statement_coverage80]
    Zana nyingi za FLOSS zinapatikana kupima usakinishaji wa majaribio, ikiwa ni pamoja na gcov/lcov, Blanket.js, Istanbul, JCov, na covr (R). Kumbuka kwamba kutimiza kigezo hiki sio uhakika kwamba seti ya majaribio ni ya kina, badala yake, kushindwa kutimiza kigezo hiki ni kiashiria kizito cha seti ya majaribio mbaya.

    The project has FLOSS automated test suites that provide more than 80% coverage. The README reports current coverage at 93.93%, and the test suite is run with Node.js's built-in FLOSS node:test runner. Coverage is measured with npm run test:coverage, which uses Node's built-in coverage support. Evidence is here: https://github.com/RoryGlenn/commitment-issues#readme and https://github.com/RoryGlenn/commitment-issues/blob/main/package.json.


  • Upimaji wa utendaji mpya


    Mradi LAZIMA uwe na sera rasmi iliyoandikwa kwamba kadri utendakazi mkubwa mpya unaongezwa, majaribio ya utendakazi mpya LAZIMA yaongezwe kwenye seti ya majaribio ya kiotomatiki. [test_policy_mandated]

    The project documents a test policy, but the current wording is not strong enough for this criterion because it says behavior changes should include automated tests rather than requiring that major new functionality MUST include tests. Current partial policy is here: https://github.com/RoryGlenn/commitment-issues/blob/main/.github/CONTRIBUTING.md#contribution-requirements.



    Mradi LAZIMA ujumuishe, katika maelekezo yake yaliyoandikwa kwa mapendekezo ya mabadiliko, sera kwamba majaribio yataongezwa kwa utendakazi mkubwa mpya. [tests_documented_added]
    Hata hivyo, hata sheria isiyo rasmi inakubaliwa mradi majaribio yaongezwe kimakosa.

    The project documents the policy for adding tests in the contribution/change proposal instructions. The contributing guide says behavior changes should include automated tests, bug fixes should include regression tests when practical, and PRs should pass npm test, linting, and formatting checks. The pull request template also asks contributors to confirm that tests were added or updated where appropriate. This is documented here: https://github.com/RoryGlenn/commitment-issues/blob/main/.github/CONTRIBUTING.md#contribution-requirements and https://github.com/RoryGlenn/commitment-issues/blob/main/.github/PULL_REQUEST_TEMPLATE.md.


  • Bendera za maonyo


    Miradi LAZIMA iwe na ukali wa juu zaidi na maonyo katika programu iliyozalishwa na mradi, iwezekanavyo vitendo. [warnings_strict]
    Baadhi ya maonyo hayawezi kuwashwa kwa ufanisi kwenye miradi fulani. Kinachohitajika ni ushahidi kwamba mradi unajitahidi kuwasha bendera za onyo ambapo inaweza, ili makosa yagundulika mapema.

    The project is strict with warnings where practical by using ESLint as a required quality gate, configuring its recommended JavaScript baseline, and setting project rules such as no-unused-vars, eqeqeq, no-var, and prefer-const to error. The lint command is npm run lint, and CI runs linting automatically on pushes and pull requests, so lint findings must be fixed before changes pass CI. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/eslint.config.js, https://github.com/RoryGlenn/commitment-issues/blob/main/package.json, and https://github.com/RoryGlenn/commitment-issues/blob/main/.github/workflows/ci.yml.


 Usalama 10/13

  • Maarifa ya maendeleo yenye usalama


    Mradi LAZIMA utekeleze kanuni za muundo salama (kutoka "know_secure_design"), pale inapohusika. Ikiwa mradi hauzalishi programu, chagua "haihusiki" (N/A). [implement_secure_design]
    Kwa mfano, matokeo ya mradi yanapaswa kuwa na mipangilio salama ya kuzuia makosa (maamuzi ya ufikiaji yanapaswa kukataa kwa chaguo-msingi, na usakinishaji wa mradi unapaswa kuwa salama kwa chaguo-msingi). Pia yanapaswa kuwa na kikuu cha kati kikamilifu (kila ufikiaji ambao unaweza kuwekwa kikomo lazima ufanyiwe ukaguzi wa mamlaka na usiweze kuvukwa). Kumbuka kwamba katika hali fulani kanuni zitagombana, na katika hali hiyo chaguo lazima lifanywe (k.m., taratibu nyingi zinaweza kufanya mambo kuwa magumu zaidi, kukiuka "uchumi wa utaratibu" / iweke rahisi).

    The project implements secure design principles where applicable. The security review documents the project security boundary and relevant risks for a local Git-hook CLI, including command/argument injection, path traversal, unsafe working-tree mutation, dependency/release-chain risk, and private vulnerability handling. The hardening document shows implemented mitigations, including safer process spawning with argument vectors instead of shell interpolation, defensive working-tree guards, path normalization tests, CodeQL, OpenSSF Scorecard, Dependabot, pinned GitHub Actions, npm trusted publishing, and SLSA provenance. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/docs/security-review-2026-07.md and https://github.com/RoryGlenn/commitment-issues/blob/main/docs/security-hardening.md.


  • Tumia mazoea mazuri ya msingi ya usimbuaji

    Kumbuka kwamba programu fulani haihitaji kutumia taratibu za usimbuaji. Ikiwa mradi wako unazalisha programu ambayo (1) inajumuisha, inaamilisha, au inafanya usimbuaji kuwa hai, na (2) inaweza kutolewa kutoka Marekani (US) kwenda nje ya Marekani au kwa raia asiye wa Marekani, inaweza kuwa ni lazima kisheria kuchukua hatua chache za ziada. Kawaida hii inahusisha tu kutuma barua pepe. Kwa maelezo zaidi, tazama sehemu ya usimbuaji ya Kuelewa Teknolojia ya Chanzo Wazi & Udhibiti wa Usafirishaji wa Marekani.

    Mifumo ya usalama ya chaguo-msingi ndani ya programu inayozalishwa na mradi LAZIMA ISITEGEMEE algoriti za kriptologia au hali zenye udhaifu mkubwa unaojulikana (k.m., algoriti ya hash ya kriptologia ya SHA-1 au hali ya CBC katika SSH). [crypto_weaknesses]
    Wasiwasi kuhusu hali ya CBC katika SSH unajadiliwa katika CERT: SSH CBC vulnerability.

    N/A. The software produced by this project does not implement or depend on cryptographic algorithms or cipher modes as runtime security mechanisms, so it does not depend on cryptographic algorithms with known serious weaknesses such as SHA-1 or CBC mode. commitment-issues runs locally in the user's Git workflow and does not expose a network service or transmit repository content. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/docs/security-review-2026-07.md and https://github.com/RoryGlenn/commitment-issues#privacy.



    Mradi INAPASWA kusaidia algoriti nyingi za kriptologia, ili watumiaji waweze kubadilisha haraka ikiwa moja imevunjwa. Algoriti za kawaida za funguo za simetria ni pamoja na AES, Twofish, na Serpent. Mbadala wa algoriti za hash za kriptologia za kawaida ni pamoja na SHA-2 (ikiwa ni pamoja na SHA-224, SHA-256, SHA-384 NA SHA-512) na SHA-3. [crypto_algorithm_agility]

    N/A. The software produced by this project does not implement cryptographic algorithms or provide cryptographic security mechanisms, so cryptographic algorithm agility is not applicable. commitment-issues runs locally in the user's Git workflow, does not expose a network service, and does not transmit repository content. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/docs/security-review-2026-07.md and https://github.com/RoryGlenn/commitment-issues#privacy.



    Mradi LAZIMA usaidie kuhifadhi vitambulisho vya uthibitishaji (kama vile nywila na ishara za nguvu) na funguo za kibinafsi za kriptologia katika mafaili ambayo yametengwa na habari nyingine (kama vile mafaili ya usanidi, hifadhidata, na kumbukumbu), na kuruhusu watumiaji kusasisha na kubadilisha bila ukusanyaji upya wa msimbo. Ikiwa mradi haufanyi usindikaji wa vitambulisho vya uthibitishaji na funguo za kibinafsi za kriptologia, chagua "haihusiki" (N/A). [crypto_credential_agility]

    N/A. The project never processes authentication credentials or private cryptographic keys as part of its runtime behavior, so credential/key storage agility is not applicable. commitment-issues is local Git-hook tooling and does not provide authentication, store passwords, manage private keys, expose a network service, or transmit repository content. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/docs/security-review-2026-07.md and https://github.com/RoryGlenn/commitment-issues#privacy.



    Programu iliyozalishwa na mradi INAPASWA kusaidia itifaki salama kwa mawasiliano yake yote ya mtandao, kama vile SSHv2 au zaidi, TLS1.2 au zaidi (HTTPS), IPsec, SFTP, na SNMPv3. Itifaki zisizo salama kama vile FTP, HTTP, telnet, SSLv3 au mapema zaidi, na SSHv1 ZINAPASWA kuzimwa kwa chaguo-msingi, na kuzimwa tu ikiwa mtumiaji anaisanidi mahususi. Ikiwa programu iliyozalishwa na mradi haiesaidii mawasiliano ya mtandao, chagua "haihusiki" (N/A). [crypto_used_network]

    N/A. commitment-issues does not support network communications. It runs locally inside the user's Git workflow, reads local Git state and project files, and shells out to local tools such as ESLint, Prettier, and the configured test runner. It does not expose a network service or transmit repository content.



    Programu iliyozalishwa na mradi INAPASWA, ikiwa inasaidia au inatumia TLS, kusaidia angalau toleo la TLS 1.2. Kumbuka kuwa kilichotangulia TLS kiliitwa SSL. Ikiwa programu haitumii TLS, chagua "haihusiki" (N/A). [crypto_tls12]

    N/A. commitment-issues does not use TLS because it does not perform network communications. It runs locally inside the user's Git workflow, reads local Git state and local files, and shells out to local tools such as ESLint, Prettier, and the configured test runner. It does not expose a network service or transmit repository content.



    Programu iliyozalishwa na mradi LAZIMA, ikiwa inasaidia TLS, ifanye uthibitishaji wa cheti cha TLS kwa chaguo-msingi inapotumia TLS, ikiwa ni pamoja na rasilimali ndogo. Ikiwa programu haitumii TLS, chagua "haihusiki" (N/A). [crypto_certificate_verification]

    N/A. The software produced by this project does not use TLS, expose a network service, or transmit repository content, so TLS certificate verification is not applicable. commitment-issues runs locally in the user's Git workflow and shells out to local tools. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/docs/security-review-2026-07.md and https://github.com/RoryGlenn/commitment-issues#privacy.



    Programu iliyozalishwa na mradi LAZIMA, ikiwa inasaidia TLS, ifanye uthibitishaji wa cheti kabla ya kutuma vichwa vya HTTP na habari ya kibinafsi (kama vile vidakuzi salama). Ikiwa programu haitumii TLS, chagua "haihusiki" (N/A). [crypto_verification_private]

    N/A. The software produced by this project does not use TLS and does not send HTTP headers with private information such as secure cookies. commitment-issues runs locally in the user's Git workflow, does not expose a network service, and does not transmit repository content. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/docs/security-review-2026-07.md and https://github.com/RoryGlenn/commitment-issues#privacy.


  • Kutolewa kwa usalama


    Mradi LAZIMA uweke saini kwa kriptologia matoleo ya matokeo ya mradi yanayokusudiwa kwa matumizi ya kila mahali, na LAZIMA kuwe na mchakato ulioandikwa unaoweleza watumiaji jinsi wanaweza kupata funguo za umma za saini na kuthibitisha saini. Funguo ya kibinafsi kwa saini hizi LAZIMA ISIWE kwenye tovuti zinazosambaza moja kwa moja programu kwa umma. Ikiwa matoleo hayakusudiwa kwa matumizi ya kila mahali, chagua "haihusiki" (N/A). [signed_releases]
    Matokeo ya mradi ni pamoja na msimbo wa chanzo na matokeo yoyote yaliyozalishwa pale inapohusika (k.m., mifumo inayotekelezeka, vifurushi, na vyombo). Matokeo yaliyozalishwa YANAWEZA kuwekwa saini tofauti na msimbo wa chanzo. Hizi ZINAWEZA kutekelezwa kama lebo za git zilizowekwa saini (kwa kutumia saini za kidijitali za kriptologia). Miradi YAWEZA kutoa matokeo yaliyozalishwa tofauti na zana kama vile git, lakini katika hali hizo, matokeo tofauti LAZIMA yawekwe saini tofauti.

    The project has a release workflow that publishes through npm trusted publishing and generates SLSA provenance, but I do not see a documented user-facing process explaining how users can obtain public signing keys and verify release signatures. Keep this Unmet until release-signing verification instructions are documented. Current partial release-security evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/.github/workflows/publish.yml.



    INAPENDEKEZWA kuwa katika mfumo wa udhibiti wa toleo, kila lebo muhimu ya toleo (lebo ambayo ni sehemu ya toleo kuu, toleo dogo, au kurekebishwa udhaifu uliotangazwa hadharani) iwekwe saini kwa kriptologia na iweze kuthibitishwa kama ilivyoelezwa katika signed_releases. [version_tags_signed]

    The project uses version tags for releases, but I do not see evidence that important version tags are cryptographically signed and verifiable. Keep this Unmet until release tags are signed and the verification process is documented. Current release-tag workflow evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/.github/workflows/publish.yml.


  • Masuala mengine ya usalama


    Matokeo ya mradi LAZIMA yafanye ukaguzi wa pembejeo zote kutoka vyanzo visivyoaminika ili kuhakikisha ni halali (*orodha zinazokubalika*), na kukataa pembejeo zisizo halali, ikiwa kuna vizuizi vyovyote kwenye data kabisa. [input_validation]
    Kumbuka kuwa kulinganisha ingizo dhidi ya orodha ya "miundo mibaya" (aka *orodha za kukataza*) kwa kawaida haitoshi, kwa sababu washambuliaji mara nyingi wanaweza kuepuka orodha ya kukataza. Hasa, nambari zinabadilishwa kuwa miundo ya ndani na kisha kuangaliwa ikiwa ziko kati ya chini na juu zao (ikiwa ni pamoja), na vifungu vya maandishi vinaangaliwa ili kuhakikisha kuwa ni ruwaza halali za maandishi (k.m., UTF-8 halali, urefu, sintaksia, n.k.). Baadhi ya data inaweza kuhitaji kuwa "chochote kabisa" (k.m., kipakia faili), lakini hizi kwa kawaida zingekuwa nadra.

    No (currently in progress).

    commitment-issues uses an allowlist for recognized configuration keys and warns about unknown configuration options, helping prevent configuration typos from silently changing behavior. However, it does not yet fully validate and reject all invalid configuration values from untrusted inputs (such as malformed values in package.json).

    To fully satisfy this requirement, the project will implement strict validation for configuration values (for example, ensuring booleans are booleans, tone is one of the supported values, arrays contain only valid element types, and numeric values are within valid ranges), rejecting or ignoring invalid inputs with clear diagnostic messages.



    Taratibu za kuimarisha ZINAPASWA kutumiwa katika programu iliyozalishwa na mradi ili kasoro za programu ziwe na uwezekano mdogo wa kusababisha udhaifu wa usalama. [hardening]
    Taratibu za kuimarisha zinaweza kujumuisha vichwa vya HTTP kama Sera ya Usalama wa Maudhui (CSP), bendera za mkusanyaji ili kupunguza mashambulizi (kama vile -fstack-protector), au bendera za mkusanyaji ili kuondoa tabia isiyofafanuliwa. Kwa madhumuni yetu upendeleo mdogo hauhesabiwi kuwa utaratibu wa kuimarisha (upendeleo mdogo ni muhimu, lakini tofauti).

    The project uses documented hardening mechanisms to reduce the chance that software defects become security vulnerabilities. These include safer process spawning with argument vectors instead of shell interpolation for file paths, defensive working-tree guards that refuse risky staged/unstaged mutations, cross-platform path normalization tests, CodeQL static analysis, OpenSSF Scorecard, Dependabot, pinned GitHub Actions, npm trusted publishing, and SLSA provenance for releases.

    https://github.com/RoryGlenn/commitment-issues/blob/main/docs/security-hardening.md



    Mradi LAZIMA utoe kesi ya uhakika inayosababisha kwa nini mahitaji yake ya usalama yanakidhi. Kesi ya uhakika LAZIMA ijumuishe: maelezo ya muundo wa tishio, utambulisho wazi wa mipaka ya kuaminiwa, hoja kwamba kanuni za muundo salama zimetumika, na hoja kwamba udhaifu wa kawaida wa utekelezaji wa usalama umekabiliana nao. (URL inahitajika) [assurance_case]
    Kesi ya uhakika ni "mwili wa ushahidi ulioandikwa unaotoa hoja inayoshawishi na halali kwamba seti maalum ya madai muhimu kuhusu mali za mfumo ziko na sababu za kutosha kwa programu maalum katika mazingira maalum" ("Uhakika wa Programu Kwa kutumia Miundo ya Kesi ya Uhakika Iliyopangwa", Thomas Rhodes et al, NIST Interagency Report 7608). Mipaka ya kuaminiwa ni mipaka ambapo data au utekelezaji hubadilisha kiwango chake cha kuaminiwa, k.m., mipaka ya seva katika programu ya kawaida ya wavuti. Ni ya kawaida kuorodhesha kanuni za muundo salama (kama vile Saltzer na Schroeer) na udhaifu wa kawaida wa utekelezaji wa usalama (kama vile OWASP top 10 au CWE/SANS top 25), na kuonyesha jinsi kila moja unavyokabiliana. Kesi ya uhakika ya BadgeApp inaweza kuwa mfano wenye manufaa. Hii inahusiana na documentation_security, documentation_architecture, na implement_secure_design.

    Not yet.

    This requirement is not currently satisfied.

    To meet this requirement, the project should publish an assurance case (for example, docs/security/assurance-case.md) that includes:

    • A description of the project's threat model, including expected attackers, assets, and assumptions.
    • Clear identification of trust boundaries (such as user repositories, Git hooks, local configuration, the operating system, external tools, and CI environments).
    • An explanation of how secure design principles are applied (least privilege, fail-safe defaults, defense in depth, secure defaults, and minimizing trust).
    • An explanation of how common implementation security weaknesses are mitigated (input validation, command execution safety, path handling, temporary files, dependency management, error handling, and testing).

    Once published, the URL to this document can be provided as evidence for this requirement.


 Uchanganuzi 2/2

  • Uchambuzi tuli wa msimbo


    Mradi LAZIMA utumie angalau zana moja ya uchanganuzi tuli yenye sheria au mbinu za kutafuta udhaifu wa kawaida katika lugha au mazingira yaliyochanganuliwa, ikiwa kuna angalau zana moja ya FLOSS inayoweza kutekeleza kigezo hiki katika lugha iliyochaguliwa. [static_analysis_common_vulnerabilities]
    Zana za uchambuzi tuli ambazo zimeundwa hasa kutafuta udhaifu wa kawaida zina uwezekano mkubwa wa kuzipata. Hata hivyo, kutumia zana zozote za tuli kwa kawaida itasaidia kupata baadhi ya matatizo, kwa hivyo tunashauri lakini hatunahitaji hii kwa kiwango cha nishani ya 'kupita'.

    The project's static analysis includes CodeQL, a security-focused static analysis tool for JavaScript/TypeScript that is intended to find common vulnerability patterns. The project also uses ESLint's recommended JavaScript baseline and project-specific error rules to catch common code mistakes. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/.github/workflows/codeql.yml and https://github.com/RoryGlenn/commitment-issues/blob/main/eslint.config.js.


  • Uchambuzi wa msimbo wa nguvu za ziada


    Ikiwa programu iliyozalishwa na mradi inajumuisha programu iliyoandikwa kwa kutumia lugha isiyosalama ya kumbukumbu (k.m., C au C++), basi angalau zana moja ya nguvu (k.m., fuzzer au kitafutaji cha programu ya wavuti) LAZIMA itumike kwa kawaida kwa pamoja na utaratibu wa kugundua matatizo ya usalama wa kumbukumbu kama vile uandikaji zaidi wa kipengele. Ikiwa mradi hauzalishi programu iliyoandikwa katika lugha isiyosalama ya kumbukumbu, chagua "haihusiki" (N/A). [dynamic_analysis_unsafe]
    Mifano ya taratibu za kugundua matatizo ya usalama wa kumbukumbu ni pamoja na Address Sanitizer (ASAN) (inapatikana katika GCC na LLVM), Memory Sanitizer, na valgrind. Zana nyingine zinazoweza kutumika ni pamoja na thread sanitizer na undefined behavior sanitizer. Madai ya kila mahali pia yaweza kufanya kazi.

    N/A. The project does not produce software written in a memory-unsafe language such as C or C++. commitment-issues is a JavaScript/Node.js package using pure ESM .mjs source files, so memory-safety dynamic-analysis requirements for memory-unsafe languages do not apply. Evidence is here: https://github.com/RoryGlenn/commitment-issues/blob/main/.github/CONTRIBUTING.md#project-layout and https://github.com/RoryGlenn/commitment-issues/blob/main/package.json.



Data hii inapatikana chini ya Community Data License Agreement – Permissive, Version 2.0 (CDLA-Permissive-2.0). Hii inamaanisha kuwa Mpokeaji wa Data anaweza kushiriki Data, na au bila marekebisho, mradi Mpokeaji wa Data anapatanisha maandishi ya mkataba huu na Data iliyoshirikiwa. Tafadhali tambua RoryGlenn na wachangiaji wa nishani ya Mazoea Bora ya OpenSSF.

Ingizo la nishani ya mradi linamilikiwa na: RoryGlenn.
Ingizo liliundwa siku 2026-07-08 02:38:47 UTC, iliyosasishwa mara ya mwisho siku 2026-07-09 21:04:40 UTC. Ilipata mara ya mwisho nishani ya kupita siku 2026-07-09 17:43:22 UTC.