Security posture
This page is the canonical statement of Thinwrap’s security posture. Per-package supply-chain provenance is independently verifiable on each package’s npm and Packagist listing.
Vulnerability disclosure
- Email dev@thinwrap.dev or open a private security advisory in the affected package’s repository under github.com/thinwrap.
- Acknowledge: within 48 hours.
- Patch SLO: high / critical within 7 days; lower severities on a best-effort cadence.
- Coordinated disclosure preferred. Reporters are credited in the fix changelog unless anonymity is requested.
Provenance
- npm: every release is published with Sigstore provenance via GitHub Actions OIDC. The provenance badge is visible on each package’s npm page.
- Packagist: each PHP release is cosign-signed as part of the tagged GitHub release Packagist syncs from.
- Every release is built in CI from the tagged commit — no manual upload path.
Supply-chain controls
- No vendor SDKs. The TypeScript packages carry zero runtime dependencies (native
fetch); the PHP packages depend only on the PSR-18/17 HTTP interfaces plusphp-http/discovery— a bring-your-own client. - OIDC publishing: no long-lived registry tokens in CI secrets. Releases authenticate via short-lived federated tokens.
- Branch protection on
main: required status checks, code-owner review on release branches, no force-pushes. - Dev dependencies are pinned. Release CI verifies published provenance with
npm audit signatures; the PHP pipeline runscomposer audit.
Account security
- 2FA enforced on every account with publish authority (GitHub, npm, Packagist).
- Publish authority is restricted to a named maintainer set; org membership reviewed quarterly.
- No service accounts hold publish credentials.
Supported versions
Security fixes ship on the most recent minor of each package within the umbrella scopes:
@thinwrap/notifications·thinwrap/notifications@thinwrap/location·thinwrap/location
thinwrap.dev itself is a live website (no version contract); fixes deploy via the next main push.
EU CRA positioning
Thinwrap is open-source software published without monetization, in line with the EU Cyber Resilience Act’s scope for open-source stewards. The posture above is documented to make third-party risk-evaluation review — including CRA-adjacent questionnaires — quick to answer.