From 43eeab882816aab05d73b7dcb7b707db4af403ab Mon Sep 17 00:00:00 2001
From: Andreas Stassivik <andreas@stassi.net>
Date: Fri, 4 Oct 2024 15:38:53 -0700
Subject: [PATCH 1/3] security policy initialization

---
 SECURITY.md | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..aeadc4e
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,37 @@
+# Security policy
+
+## Updates
+
+[![npm version](https://img.shields.io/npm/v/%40stassi%2Fleaf)](https://www.npmjs.com/package/@stassi/leaf)
+
+**Always use the latest version of `@stassi/leaf`** via the `npm update` command ([documentation](https://docs.npmjs.com/cli/v10/commands/npm-update)) to ensure the latest security updates are received.
+
+## Reporting
+
+If you discover a **potential vulnerability in the `@stassi/leaf` codebase**, please follow these steps:
+
+1. **Do not publicly disclose any potential vulnerability.** Public disclosure increases the risk of a malicious exploit before a remedy is available.
+
+2. **Contact [security@stassi.net](mailto:security@stassi.net) directly via email.** Please provide detailed information about the potential vulnerability, including steps to reproduce and any relevant code snippets or logs. Additional information or clarification may be requested.
+
+## Maintenance
+
+[![Security](https://github.com/Stassi/leaf/actions/workflows/security.yml/badge.svg)](https://github.com/Stassi/leaf/actions/workflows/security.yml)
+
+Automated security scans are integrated into the [continuous delivery (CD)](https://en.wikipedia.org/wiki/Continuous_delivery) pipeline.
+
+### Advisories
+
+View all [security advisories for `@stassi/leaf`](https://github.com/Stassi/leaf/security/advisories).
+
+### Dependencies
+
+[Dependabot](https://docs.github.com/en/code-security/getting-started/dependabot-quickstart-guide), [Snyk](https://en.wikipedia.org/wiki/Snyk), and the `npm audit` command ([documentation](https://docs.npmjs.com/cli/v10/commands/npm-audit)) mitigate upstream security risks by analyzing upstream dependencies. Potential vulnerabilities in third-party libraries like [Leaflet](<https://en.wikipedia.org/wiki/Leaflet_(software)>) are patched during the build process.
+
+### Sanitization
+
+All dynamic HTML content is sanitized using [DOMPurify](https://www.npmjs.com/package/dompurify) to prevent [cross-site scripting (XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks.
+
+### Static analysis
+
+[CodeQL (Semmle)](https://en.wikipedia.org/wiki/Semmle) and [ESLint](https://en.wikipedia.org/wiki/ESLint) use [static analysis](https://en.wikipedia.org/wiki/Static_program_analysis) to detect potential vulnerabilities early.

From 098b520696bb226b5d1011cb216e383c7a30ca82 Mon Sep 17 00:00:00 2001
From: Andreas Stassivik <andreas@stassi.net>
Date: Fri, 4 Oct 2024 17:41:14 -0700
Subject: [PATCH 2/3] security disclosures appended

---
 SECURITY.md | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index aeadc4e..4b56df7 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -35,3 +35,50 @@ All dynamic HTML content is sanitized using [DOMPurify](https://www.npmjs.com/pa
 ### Static analysis
 
 [CodeQL (Semmle)](https://en.wikipedia.org/wiki/Semmle) and [ESLint](https://en.wikipedia.org/wiki/ESLint) use [static analysis](https://en.wikipedia.org/wiki/Static_program_analysis) to detect potential vulnerabilities early.
+
+## Disclosures
+
+The following potential vulnerabilities were **resolved** after detection.
+
+### DOM clobbering gadget in `rollup` bundled scripts leading to XSS
+
+- **Detected by:** Dependabot
+- **Vulnerable package:** [rollup](https://www.npmjs.com/package/rollup)
+- **Detection time:** 2024-09-24 19:48
+- **Resolution time:** 2024-09-25 4:41
+- **Resolution pull request (PR):** [#30](https://github.com/Stassi/leaf/pull/30) (feature/rollup-4-22-4)
+- **CVSS (severity):** 8.3 (high)
+- **Advisory:** [GHSA-gcx4-mw62-g8wm](https://github.com/advisories/GHSA-gcx4-mw62-g8wm)
+- **CVE:** [CVE-2024-47068](https://nvd.nist.gov/vuln/detail/CVE-2024-47068)
+- **CWEs:** [CWE-79](https://cwe.mitre.org/data/definitions/79.html) (Cross-site scripting (XSS)), [CWE-116](https://cwe.mitre.org/data/definitions/116.html) (Improper encoding or escaping of output)
+
+### Regular expression denial of service (ReDoS) in `path-to-regexp`
+
+- **Detected by:** Dependabot & Snyk
+- **Vulnerable package:** [path-to-regexp](https://www.npmjs.com/package/path-to-regexp) (via [serve](https://www.npmjs.com/package/serve))
+- **Detection times:** September 24, 2024, at 19:48
+  - **Dependabot**: 2024-09-24 19:48
+  - **Snyk**: 2024-09-23 19:08
+- **Resolution time:** 2024-09-25 5:05
+- **Resolution pull request (PR):** [#31](https://github.com/Stassi/leaf/pull/31) (feature/path-to-regexp-3-3-0)
+- **CVSS (severity):**
+  - **Dependabot**: 7.7 (high)
+  - **Snyk**: 6.9 (medium)
+- **Advisories:**
+  - **Dependabot**: [GHSA-9wv6-86v2-598j](https://github.com/advisories/GHSA-9wv6-86v2-598j)
+  - **Snyk**: [SNYK-JS-PATHTOREGEXP-7925106](https://security.snyk.io/vuln/SNYK-JS-PATHTOREGEXP-7925106)
+- **CVE:** [CVE-2024-45296](https://nvd.nist.gov/vuln/detail/CVE-2024-45296)
+- **CWE:** [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html) (Inefficient regular expression complexity)
+
+### Unsafe HTML constructed from `leaflet` library input
+
+- **Detected by:** CodeQL
+- **Vulnerable package:** [leaflet](https://www.npmjs.com/package/leaflet)
+- **Detection time:** 2024-09-24 16:03
+- **Resolution time:** 2024-10-04 03:17
+- **Resolution pull requests (PRs):**
+  - [#34](https://github.com/Stassi/leaf/pull/34) (feature/sanitize-leaflet)
+  - [#37](https://github.com/Stassi/leaf/pull/37) (feature/sanitize-tutorials-dom-xss)
+- **CVSS (severity):** 6.1 (medium)
+- **Advisory:** [CodeQL js/html-constructed-from-input](https://codeql.github.com/codeql-query-help/javascript/js-html-constructed-from-input/)
+- **CWEs:** [CWE-79](https://cwe.mitre.org/data/definitions/79.html) (Cross-site scripting (XSS)), [CWE-116](https://cwe.mitre.org/data/definitions/116.html) (Improper encoding or escaping of output)

From f87606859eff4e96f8b79b47d97255f16efa9045 Mon Sep 17 00:00:00 2001
From: Andreas Stassivik <andreas@stassi.net>
Date: Fri, 4 Oct 2024 17:41:29 -0700
Subject: [PATCH 3/3] 0.0.40

---
 package-lock.json | 4 ++--
 package.json      | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index a52b136..34c89ad 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@stassi/leaf",
-  "version": "0.0.39",
+  "version": "0.0.40",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@stassi/leaf",
-      "version": "0.0.39",
+      "version": "0.0.40",
       "cpu": [
         "arm64",
         "x64"
diff --git a/package.json b/package.json
index 88939ea..f32a17b 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@stassi/leaf",
-  "version": "0.0.39",
+  "version": "0.0.40",
   "description": "Leaflet adapter.",
   "keywords": [
     "cartography",