Security posture

This page is the canonical statement of Thinwrap’s security posture. Per-package supply-chain provenance is independently verifiable on each package’s npm and Packagist listing.

Vulnerability disclosure

  • Email dev@thinwrap.dev or open a private security advisory in the affected package’s repository under github.com/thinwrap.
  • Acknowledge: within 48 hours.
  • Patch SLO: high / critical within 7 days; lower severities on a best-effort cadence.
  • Coordinated disclosure preferred. Reporters are credited in the fix changelog unless anonymity is requested.

Provenance

  • npm: every release is published with Sigstore provenance via GitHub Actions OIDC. The provenance badge is visible on each package’s npm page.
  • Packagist: each PHP release is cosign-signed as part of the tagged GitHub release Packagist syncs from.
  • Every release is built in CI from the tagged commit — no manual upload path.

Supply-chain controls

  • No vendor SDKs. The TypeScript packages carry zero runtime dependencies (native fetch); the PHP packages depend only on the PSR-18/17 HTTP interfaces plus php-http/discovery — a bring-your-own client.
  • OIDC publishing: no long-lived registry tokens in CI secrets. Releases authenticate via short-lived federated tokens.
  • Branch protection on main: required status checks, code-owner review on release branches, no force-pushes.
  • Dev dependencies are pinned. Release CI verifies published provenance with npm audit signatures; the PHP pipeline runs composer audit.

Account security

  • 2FA enforced on every account with publish authority (GitHub, npm, Packagist).
  • Publish authority is restricted to a named maintainer set; org membership reviewed quarterly.
  • No service accounts hold publish credentials.

Supported versions

Security fixes ship on the most recent minor of each package within the umbrella scopes:

  • @thinwrap/notifications · thinwrap/notifications
  • @thinwrap/location · thinwrap/location

thinwrap.dev itself is a live website (no version contract); fixes deploy via the next main push.

EU CRA positioning

Thinwrap is open-source software published without monetization, in line with the EU Cyber Resilience Act’s scope for open-source stewards. The posture above is documented to make third-party risk-evaluation review — including CRA-adjacent questionnaires — quick to answer.