docs: add responsible desclosure guidelines

deps(deps): bump the frontend-dependencies group across 1 directory with 12 updates

.github/dependabot.yml

@@ -1,28 +1,70 @@
 version: 2
 updates:
-  # Enable version updates for Node.js dependencies
+  # Frontend dependencies (root package.json)
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
       interval: "weekly"
+      day: "monday"
+      time: "09:00"
     allow:
       - dependency-type: "all"
     groups:
-      all:
+      frontend-dependencies:
         patterns:
           - "*"
     ignore:
       - dependency-name: "eslint"
         versions: ">= 9"
+    commit-message:
+      prefix: "deps"
+      include: "scope"
 
-  # Enable version updates for rust
+  # Nodecar dependencies
+  - package-ecosystem: "npm"
+    directory: "/nodecar"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    allow:
+      - dependency-type: "all"
+    groups:
+      nodecar-dependencies:
+        patterns:
+          - "*"
+    commit-message:
+      prefix: "deps(nodecar)"
+      include: "scope"
+
+  # Rust dependencies
   - package-ecosystem: "cargo"
     directory: "/src-tauri"
     schedule:
       interval: "weekly"
+      day: "monday"
+      time: "09:00"
     allow:
       - dependency-type: "all"
     groups:
-      all:
+      rust-dependencies:
         patterns:
           - "*"
+    commit-message:
+      prefix: "deps(rust)"
+      include: "scope"
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+    commit-message:
+      prefix: "ci"
+      include: "scope"

.github/workflows/dependabot-automerge.yml

@@ -1,21 +1,60 @@
-# Automatically squashes and merges Dependabot dependency upgrades if tests pass
+name: Dependabot Automerge
 
-name: Dependabot Auto-merge
-
-on: pull_request_target
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
 
 permissions:
   pull-requests: write
   contents: write
+  checks: read
 
 jobs:
-  dependabot:
-    runs-on: ubuntu-latest
-
+  security-scan:
+    name: Security Vulnerability Scan
     if: ${{ github.actor == 'dependabot[bot]' }}
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@e69cc6c86b31f1e7e23935bbe7031b50e51082de" # v2.0.2
+    with:
+      scan-args: |-
+        -r
+        --skip-git
+        --lockfile=pnpm-lock.yaml
+        --lockfile=src-tauri/Cargo.lock
+        --lockfile=nodecar/pnpm-lock.yaml
+        ./
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+
+  lint-js:
+    name: Lint JavaScript/TypeScript
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    uses: ./.github/workflows/lint-js.yml
+    secrets: inherit
+
+  lint-rust:
+    name: Lint Rust
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    uses: ./.github/workflows/lint-rs.yml
+    secrets: inherit
+
+  dependabot-automerge:
+    name: Dependabot Automerge
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    needs: [security-scan, lint-js, lint-rust]
+    runs-on: ubuntu-latest
     steps:
-      - name: Fetch Dependabot metadata
-        id: dependabot-metadata
+      - name: Dependabot metadata
+        id: metadata
         uses: dependabot/fetch-metadata@v2
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Auto-merge minor and patch updates
+        uses: ridedott/merge-me-action@v2
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PRESET: DEPENDABOT_MINOR
+          MERGE_METHOD: SQUASH
+    timeout-minutes: 10

.github/workflows/lint-js.yml

@@ -13,6 +13,8 @@ on:
     paths-ignore:
       - "src-tauri/**"
       - "README.md"
+      - ".github/workflows/lint-rs.yml"
+      - ".github/workflows/osv.yml"
 
 jobs:
   build:

.github/workflows/lint-rs.yml

@@ -12,11 +12,17 @@ on:
   pull_request:
     paths-ignore:
       - "src/**"
+      - "nodecar/**"
       - "package.json"
-      - "package-lock.json"
-      - "yarn.lock"
       - "pnpm-lock.yaml"
+      - "yarn.lock"
       - "README.md"
+      - ".github/workflows/lint-js.yml"
+      - ".github/workflows/osv.yml"
+      - "next.config.js"
+      - "tailwind.config.js"
+      - "tsconfig.json"
+      - "biome.json"
 
 jobs:
   build:
@@ -61,7 +67,7 @@ jobs:
       - name: Install nodecar dependencies
         working-directory: ./nodecar
         run: |
-          pnpm install --ignore-workspace --frozen-lockfile
+          pnpm install --frozen-lockfile
 
       - name: Build nodecar binary
         shell: bash

.github/workflows/osv.yml

@@ -0,0 +1,74 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# A sample workflow which sets up periodic OSV-Scanner scanning for vulnerabilities,
+# in addition to a PR check which fails if new vulnerabilities are introduced.
+#
+# For more examples and options, including how to ignore specific vulnerabilities,
+# see https://google.github.io/osv-scanner/github-action/
+
+# Security vulnerability scanning for Donut Browser
+# Scans dependencies in package managers (npm/pnpm, Cargo) for known vulnerabilities
+# Runs on schedule and when dependencies change
+
+name: Security Vulnerability Scan
+
+on:
+  pull_request:
+    branches: ["main"]
+    paths:
+      - "package.json"
+      - "pnpm-lock.yaml"
+      - "src-tauri/Cargo.toml"
+      - "src-tauri/Cargo.lock"
+      - "nodecar/package.json"
+      - "nodecar/pnpm-lock.yaml"
+      - ".github/workflows/osv.yml"
+  merge_group:
+    branches: ["main"]
+  schedule:
+    # Run weekly on Tuesdays at 2:20 PM UTC
+    - cron: "20 14 * * 2"
+  push:
+    branches: ["main"]
+    paths:
+      - "package.json"
+      - "pnpm-lock.yaml"
+      - "src-tauri/Cargo.toml"
+      - "src-tauri/Cargo.lock"
+      - "nodecar/package.json"
+      - "nodecar/pnpm-lock.yaml"
+
+permissions:
+  security-events: write
+  contents: read
+  actions: read
+
+jobs:
+  scan-scheduled:
+    name: Scheduled Security Scan
+    if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@e69cc6c86b31f1e7e23935bbe7031b50e51082de" # v2.0.2
+    with:
+      scan-args: |-
+        -r
+        --skip-git
+        --lockfile=pnpm-lock.yaml
+        --lockfile=src-tauri/Cargo.lock
+        --lockfile=nodecar/pnpm-lock.yaml
+        ./
+
+  scan-pr:
+    name: PR Security Scan
+    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@e69cc6c86b31f1e7e23935bbe7031b50e51082de" # v2.0.2
+    with:
+      scan-args: |-
+        -r
+        --skip-git
+        --lockfile=pnpm-lock.yaml
+        --lockfile=src-tauri/Cargo.lock
+        --lockfile=nodecar/pnpm-lock.yaml
+        ./

.github/workflows/pr-checks.yml

@@ -0,0 +1,50 @@
+name: Pull Request Checks
+
+on:
+  pull_request:
+    branches: ["main"]
+  merge_group:
+    branches: ["main"]
+
+permissions:
+  security-events: write
+  contents: read
+  actions: read
+
+jobs:
+  lint-js:
+    name: Lint JavaScript/TypeScript
+    uses: ./.github/workflows/lint-js.yml
+    secrets: inherit
+
+  lint-rust:
+    name: Lint Rust
+    uses: ./.github/workflows/lint-rs.yml
+    secrets: inherit
+
+  security-scan:
+    name: Security Vulnerability Scan
+    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@e69cc6c86b31f1e7e23935bbe7031b50e51082de" # v2.0.2
+    with:
+      scan-args: |-
+        -r
+        --skip-git
+        --lockfile=pnpm-lock.yaml
+        --lockfile=nodecar/pnpm-lock.yaml
+        --lockfile=src-tauri/Cargo.lock
+        ./
+
+  pr-status:
+    name: PR Status Check
+    runs-on: ubuntu-latest
+    needs: [lint-js, lint-rust, security-scan]
+    if: always()
+    steps:
+      - name: Check all jobs succeeded
+        run: |
+          if [[ "${{ needs.lint-js.result }}" != "success" || "${{ needs.lint-rust.result }}" != "success" || "${{ needs.security-scan.result }}" != "success" ]]; then
+            echo "One or more checks failed"
+            exit 1
+          fi
+          echo "All checks passed!"

.github/workflows/release.yml

@@ -11,6 +11,22 @@ env:
   STABLE_RELEASE: "true"
 
 jobs:
+  security-scan:
+    name: Security Vulnerability Scan
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@e69cc6c86b31f1e7e23935bbe7031b50e51082de" # v2.0.2
+    with:
+      scan-args: |-
+        -r
+        --skip-git
+        --lockfile=pnpm-lock.yaml
+        --lockfile=src-tauri/Cargo.lock
+        --lockfile=nodecar/pnpm-lock.yaml
+        ./
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+
   lint-js:
     name: Lint JavaScript/TypeScript
     uses: ./.github/workflows/lint-js.yml
@@ -22,7 +38,7 @@ jobs:
     secrets: inherit
 
   release:
-    needs: [lint-js, lint-rust]
+    needs: [security-scan, lint-js, lint-rust]
     permissions:
       contents: write
     strategy:
@@ -101,7 +117,7 @@ jobs:
       - name: Install nodecar dependencies
         working-directory: ./nodecar
         run: |
-          pnpm install --ignore-workspace --frozen-lockfile
+          pnpm install --frozen-lockfile
 
       - name: Build nodecar sidecar
         shell: bash

.github/workflows/rolling-release.yml

@@ -10,6 +10,22 @@ env:
   TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
 
 jobs:
+  security-scan:
+    name: Security Vulnerability Scan
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@e69cc6c86b31f1e7e23935bbe7031b50e51082de" # v2.0.2
+    with:
+      scan-args: |-
+        -r
+        --skip-git
+        --lockfile=pnpm-lock.yaml
+        --lockfile=src-tauri/Cargo.lock
+        --lockfile=nodecar/pnpm-lock.yaml
+        ./
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+
   lint-js:
     name: Lint JavaScript/TypeScript
     uses: ./.github/workflows/lint-js.yml
@@ -21,7 +37,7 @@ jobs:
     secrets: inherit
 
   rolling-release:
-    needs: [lint-js, lint-rust]
+    needs: [security-scan, lint-js, lint-rust]
     permissions:
       contents: write
     strategy:
@@ -69,7 +85,7 @@ jobs:
       - name: Install nodecar dependencies
         working-directory: ./nodecar
         run: |
-          pnpm install --ignore-workspace --frozen-lockfile
+          pnpm install --frozen-lockfile
 
       - name: Build nodecar sidecar
         shell: bash

.gitignore

@@ -5,6 +5,10 @@
 /.pnp
 .pnp.js
 
+# npm/yarn lock files (project uses pnpm only)
+**/package-lock.json
+**/yarn.lock
+
 # testing
 /coverage
 

.vscode/settings.json

@@ -3,6 +3,7 @@
     "applescript",
     "autoconfig",
     "autologin",
+    "biomejs",
     "cdylib",
     "CFURL",
     "checkin",
@@ -11,6 +12,7 @@
     "donutbrowser",
     "dtolnay",
     "elif",
+    "esbuild",
     "gifs",
     "launchservices",
     "mountpoint",
@@ -24,6 +26,7 @@
     "reqwest",
     "rlib",
     "rustc",
+    "SARIF",
     "serde",
     "shadcn",
     "signon",
@@ -38,6 +41,7 @@
     "Torbrowser",
     "turbopack",
     "unlisten",
+    "unrs",
     "wiremock",
     "xattr",
     "zhom"

CONTRIBUTING.md

@@ -50,7 +50,7 @@ After having the above dependencies installed, proceed through the following ste
 
    ```bash
    cd nodecar
-   pnpm install --ignore-workspace --frozen-lockfile
+   pnpm install --frozen-lockfile
    cd ..
    ```
 

SECURITY.md

@@ -0,0 +1,40 @@
+# Security Policy
+
+## Reporting Security Issues
+
+Thanks for helping make Donut Browser safe for everyone! ❤️
+
+We take the security of Donut Browser seriously. If you believe you have found a security vulnerability in Donut Browser, please report it to us through coordinated disclosure.
+
+**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**
+
+Instead, please send an email to **contact at donutbrowser dot com** with the subject line "Security Vulnerability Report".
+
+Please include as much of the information listed below as you can to help us better understand and resolve the issue:
+
+- The type of issue (e.g., buffer overflow, injection attack, privilege escalation, or cross-site scripting)
+- Full paths of source file(s) related to the manifestation of the issue
+- The location of the affected source code (tag/branch/commit or direct URL)
+- Any special configuration required to reproduce the issue
+- Step-by-step instructions to reproduce the issue
+- Proof-of-concept or exploit code (if possible)
+- Impact of the issue, including how an attacker might exploit the issue
+- Your assessment of the severity level
+
+This information will help us triage your report more quickly.
+
+## What to Expect
+
+- **Response Time**: We will acknowledge receipt of your vulnerability report within 72 hours.
+- **Investigation**: We will investigate the issue and provide you with updates on our progress.
+- **Resolution**: We aim to resolve critical security issues as fast as possible, but no longer than in 30 days after the initial report.
+- **Disclosure**: We will coordinate with you on the timing of any public disclosure.
+
+## Contact
+
+For urgent security matters, please contact us at **contact at donutbrowser dot com**.
+
+For general questions about this security policy, you can also reach out through:
+
+- [GitHub Issues](https://github.com/zhom/donutbrowser/issues) (for non-security questions only)
+- [GitHub Discussions](https://github.com/zhom/donutbrowser/discussions)

nodecar/package.json

@@ -18,15 +18,15 @@
   "keywords": [],
   "author": "",
   "license": "AGPL-3.0",
-  "packageManager": "pnpm@10.6.1",
+  "packageManager": "pnpm@10.11.1+sha512.e519b9f7639869dc8d5c3c5dfef73b3f091094b0a006d7317353c72b124e80e1afd429732e28705ad6bfa1ee879c1fce46c128ccebd3192101f43dd67c667912",
   "dependencies": {
-    "@types/node": "^22.15.17",
-    "@yao-pkg/pkg": "^6.4.1",
-    "commander": "^13.1.0",
+    "@types/node": "^22.15.29",
+    "@yao-pkg/pkg": "^6.5.1",
+    "commander": "^14.0.0",
     "dotenv": "^16.5.0",
     "get-port": "^7.1.0",
     "nodemon": "^3.1.10",
-    "proxy-chain": "^2.5.8",
+    "proxy-chain": "^2.5.9",
     "ts-node": "^10.9.2",
     "typescript": "^5.8.3"
   }

nodecar/src/index.ts

@@ -48,8 +48,8 @@ program
             ignoreProxyCertificate: options.ignoreCertificate,
           });
           console.log(JSON.stringify(config));
-        } catch (error: any) {
-          console.error(`Failed to start proxy: ${error.message}`);
+        } catch (error: unknown) {
+          console.error(`Failed to start proxy: ${JSON.stringify(error)}`);
         }
       } else if (action === "stop") {
         if (options.id) {

nodecar/src/proxy-runner.ts

@@ -1,5 +1,5 @@
-import { spawn } from "child_process";
-import path from "path";
+import { spawn } from "node:child_process";
+import path from "node:path";
 import getPort from "get-port";
 import {
   type ProxyConfig,

nodecar/src/proxy-storage.ts

@@ -1,6 +1,6 @@
-import fs from "fs";
-import path from "path";
-import os from "os";
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
 
 // Define the proxy configuration type
 export interface ProxyConfig {

package.json

@@ -42,31 +42,31 @@
     "react": "^19.1.0",
     "react-dom": "^19.1.0",
     "react-icons": "^5.5.0",
-    "sonner": "^2.0.3",
+    "sonner": "^2.0.5",
     "tailwind-merge": "^3.3.0"
   },
   "devDependencies": {
     "@biomejs/biome": "1.9.4",
     "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.27.0",
-    "@next/eslint-plugin-next": "^15.3.2",
-    "@tailwindcss/postcss": "^4.1.7",
+    "@eslint/js": "^9.28.0",
+    "@next/eslint-plugin-next": "^15.3.3",
+    "@tailwindcss/postcss": "^4.1.8",
     "@tauri-apps/cli": "^2.5.0",
-    "@types/node": "^22.15.21",
-    "@types/react": "^19.1.5",
+    "@types/node": "^22.15.29",
+    "@types/react": "^19.1.6",
     "@types/react-dom": "^19.1.5",
-    "@typescript-eslint/eslint-plugin": "^8.32.1",
-    "@typescript-eslint/parser": "^8.32.1",
-    "@vitejs/plugin-react": "^4.5.0",
-    "eslint": "^9.27.0",
-    "eslint-config-next": "^15.3.2",
+    "@typescript-eslint/eslint-plugin": "^8.33.1",
+    "@typescript-eslint/parser": "^8.33.1",
+    "@vitejs/plugin-react": "^4.5.1",
+    "eslint": "^9.28.0",
+    "eslint-config-next": "^15.3.3",
     "eslint-plugin-react-hooks": "^5.2.0",
     "husky": "^9.1.7",
     "lint-staged": "^16.1.0",
-    "tailwindcss": "^4.1.7",
-    "tw-animate-css": "^1.3.0",
+    "tailwindcss": "^4.1.8",
+    "tw-animate-css": "^1.3.3",
     "typescript": "~5.8.3",
-    "typescript-eslint": "^8.32.1"
+    "typescript-eslint": "^8.33.1"
   },
   "packageManager": "pnpm@10.11.0+sha512.6540583f41cc5f628eb3d9773ecee802f4f9ef9923cc45b69890fb47991d4b092964694ec3a4f738a420c918a333062c8b925d312f42e4f0c263eb603551f977",
   "lint-staged": {

pnpm-workspace.yaml

@@ -1,5 +1,9 @@
+packages:
+  - "nodecar"
+
 onlyBuiltDependencies:
-  - '@biomejs/biome'
-  - '@tailwindcss/oxide'
+  - "@biomejs/biome"
+  - "@tailwindcss/oxide"
   - esbuild
   - sharp
+  - unrs-resolver

src-tauri/Cargo.lock

@@ -458,9 +458,9 @@ dependencies = [
 
 [[package]]
 name = "camino"
-version = "1.1.9"
+version = "1.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b96ec4966b5813e2c0507c1f86115c8c5abaadc3980879c3424042a02fd1ad3"
+checksum = "0da45bc31171d8d6960122e222a67740df867c1dd53b4d51caa297084c185cab"
 dependencies = [
  "serde",
 ]
@@ -3395,9 +3395,9 @@ checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c"
 
 [[package]]
 name = "reqwest"
-version = "0.12.18"
+version = "0.12.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e98ff6b0dbbe4d5a37318f433d4fc82babd21631f194d370409ceb2e40b2f0b5"
+checksum = "a2f8e5513d63f2e5b386eb5106dc67eaf3f84e95258e210489136b8b92ad6119"
 dependencies = [
  "base64 0.22.1",
  "bytes",
@@ -4731,9 +4731,9 @@ dependencies = [
 
 [[package]]
 name = "tower-http"
-version = "0.6.4"
+version = "0.6.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0fdb0c213ca27a9f57ab69ddb290fd80d970922355b83ae380b395d3986b8a2e"
+checksum = "5cc2d9e086a412a451384326f521c8123a99a466b329941a9403696bff9b0da2"
 dependencies = [
  "bitflags 2.9.1",
  "bytes",