Merge branch 'main' into main

undp · Aug 30, 2024 · 05e56bd · 05e56bd
2 parents 28683c4 + d1c6100
commit 05e56bd
Show file tree

Hide file tree

Showing 4 changed files with 83 additions and 14 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -0,0 +1,24 @@
+# Guidance on how to contribute
+
+All contributions to this project will be released under [LICENSE](LICENSE). By submitting a pull request or filing a bug, issue, or feature request, you are agreeing to comply with this waiver of copyright interest. You are also agreeing to comply to our community [Code of Conduct](CODE_OF_CONDUCT.md).
+
+There are two primary ways to help:
+
+* [Using the issue tracker](#tracker)
+* [Changing the code-base](#code)
+
+ <a name="tracker"></a>
+
+## Using the issue tracker
+
+Use the issue tracker to suggest feature requests, report bugs, and ask questions. This platform provides an excellent medium for interfacing with the project's development team and other stakeholders who share an interest in this solution.
+
+Use the issue tracker to find ways to contribute. Find a bug or a feature, mention in the issue that you will take on that effort, then follow the _Changing the code-base_ guidance below.
+
+<a name="code"></a>
+
+## Changing the code-base
+
+As a general guideline, it is recommended to fork this repository, make changes in your own fork, and then submit a pull request. All new code should have associated unit tests that validate implemented features and the presence or lack of defects.
+
+Moreover, the modified code should conform to any stylistic and architectural standards set by the project. In scenarios where such directives are not explicitly stated, strive to emulate the styles and patterns observed in the existing code-base.
diff --git a/README.md b/README.md
@@ -189,7 +189,6 @@ For integration, reference RESTful Web API Documentation documentation via Swagg
 * National API: `APP_URL`/national
 * Status API: `APP_URL`/stats
 
-
 <a name="resource"></a>
 
 ### Resource Requirements
@@ -250,4 +249,4 @@ By integrating these features, the code significantly contributes to achieving d
 
 [Digital For Climate (D4C)](https://www.theclimatewarehouse.org/work/digital-4-climate) is responsible for managing the application. D4C is a collaboration between the [European Bank for Reconstruction and Development (EBRD)](https://www.ebrd.com), [United Nations Development Program (UNDP)](https://www.undp.org), [United Nations Framework Convention on Climate Change (UNFCCC)](https://www.unfccc.int), [International Emissions Trading Association (IETA)](https://www.ieta.org), [European Space Agency (ESA)](https://www.esa.int), and [World Bank Group](https://www.worldbank.org) that aims to coordinate respective workflows and create a modular and interoperable end-to-end digital ecosystem for the carbon market. The overarching goal is to support a transparent, high integrity global carbon market that can channel capital for impactful climate action and low-carbon development.
 
-This code is managed by [United Nations Development Programme](https://www.undp.org) as custodian, detailed in the [press release](https://www.undp.org/news/newly-accredited-digital-public-good-national-carbon-registry-will-help-countries-meet-their-climate-targets). For any questions, contact us at [[email protected]](mailto:[email protected]).
+This code is managed by [United Nations Development Programme](https://www.undp.org) as custodian, detailed in the [press release](https://www.undp.org/news/newly-accredited-digital-public-good-national-carbon-registry-will-help-countries-meet-their-climate-targets). For any questions, contact us at [[email protected]](mailto:[email protected]).
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,46 @@
+# 🛡️ Security Policy
+
+## 🌐 Supported Versions
+
+This is the list of versions of `carbon-registry` which are currently being supported with security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.x   | ✅                |
+| 0.x   | ❌                |
+
+## 🚨 Reporting a Vulnerability
+
+The United Nations Development Programme (UNDP) takes the security of our software products seriously. If you believe you have found a security vulnerability in the Carbon Registry AGPL software, please report it to us as described below.
+
+### 📮 How to Report a Vulnerability
+
+1. **🔒 Do Not Report Security Vulnerabilities Publicly**
+   - Please do not report security vulnerabilities through public GitHub issues.
+
+2. **📧 Email**
+   - Directly email the UNDP Carbon Registry security team at [[email protected]](mailto:[email protected]?subject=Carbon%20Registry%20Security%20Warning%20Submission&body=Hi%20Standard%20Carbon%20Registry%20Team,%0AI%20identified%20a%20security%20vulnerability%20in%20https://github.com/undp/carbon-registry%20that%20I%20would%20like%20to%20privately%20warn%20you%20about.%20Details:%20).
+   - Please provide detailed information about the vulnerability, including steps to reproduce, potential impact, and suggested mitigation or remediation if known.
+
+3. **🕒 Expect a Response**
+   - We strive to acknowledge receipt of vulnerabilities and communicate our intended timeline for a fix within days.
+
+## 📢 Disclosure Policy
+
+1. **🤐 Confidentiality**
+   - Reporters of security vulnerabilities are expected to keep the vulnerability details confidential until a fix is released.
+
+2. **📣 Public Disclosure**
+   - Details about the vulnerability, including a description, its impact, and the date the fix was released, may be published after a fix is released, allowing users to assess the impact on their own deployment and take appropriate measures. Reporter is kept confidential unless otherwise requested.
+
+## 🔐 Security-Related Configuration and Compliance
+
+Please refer to the documentation for information on secure configuration and deployment and compliance with security standards and best practices.
+
+## 💬 Comments on this Policy
+
+If you have suggestions on how this process could be improved, please submit a pull request.
+
+## 🙏 Acknowledgements
+
+The Standard Carbon Registry team would like to thank all security researchers who responsibly disclose vulnerabilities and help us keep our users safe.
diff --git a/backend/services/yarn.lock b/backend/services/yarn.lock
@@ -12004,21 +12004,21 @@ semaphore-async-await@^1.5.1:
   integrity sha512-b/ptP11hETwYWpeilHXXQiV5UJNJl7ZWWooKRE5eBIYWoom6dZ0SluCIdCtKycsMtZgKWE01/qAw6jblw1YVhg==
 
 [email protected], semver@^7.3.4, semver@^7.3.5, semver@^7.3.7, semver@^7.3.8:
-  version "7.3.8"
-  resolved "https://registry.yarnpkg.com/semver/-/semver-7.3.8.tgz#07a78feafb3f7b32347d725e33de7e2a2df67798"
-  integrity sha512-NB1ctGL5rlHrPJtFDVIVzTyQylMLu9N9VICA6HSFJo8MCGVTMW6gfpicwKmmK/dAjTOrqu5l63JJOpDSrAis3A==
+  version "7.5.4"
+  resolved "https://registry.yarnpkg.com/semver/-/semver-7.5.4.tgz#483986ec4ed38e1c6c48c34894a9182dbff68a6e"
+  integrity sha512-1bCSESV6Pv+i21Hvpxp3Dx+pSD8lIPt8uVjRrxAUt/nbswYc+tK6Y2btiULjd4+fnq15PX+nqQDC7Oft7WkwcA==
   dependencies:
     lru-cache "^6.0.0"
 
 semver@^5.5.0:
-  version "5.7.1"
-  resolved "https://registry.yarnpkg.com/semver/-/semver-5.7.1.tgz#a954f931aeba508d307bbf069eff0c01c96116f7"
-  integrity sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==
+  version "5.7.2"
+  resolved "https://registry.yarnpkg.com/semver/-/semver-5.7.2.tgz#48d55db737c3287cd4835e17fa13feace1c41ef8"
+  integrity sha512-cBznnQ9KjJqU67B52RMC65CMarK2600WFnbkcaiwWq3xy/5haFJlshgnpjovMVJ+Hff49d8GEn0b87C5pDQ10g==
 
 semver@^6.0.0, semver@^6.1.1, semver@^6.1.2, semver@^6.3.0:
-  version "6.3.0"
-  resolved "https://registry.yarnpkg.com/semver/-/semver-6.3.0.tgz#ee0a64c8af5e8ceea67687b133761e1becbd1d3d"
-  integrity sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==
+  version "6.3.1"
+  resolved "https://registry.yarnpkg.com/semver/-/semver-6.3.1.tgz#556d2ef8689146e46dcea4bfdd095f3434dffcb4"
+  integrity sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==
 
 [email protected]:
   version "0.18.0"
@@ -13515,9 +13515,9 @@ wmf@~1.0.1:
   integrity sha512-/p9K7bEh0Dj6WbXg4JG0xvLQmIadrner1bi45VMJTfnbVHsc7yIajZyoSoK60/dtVBs12Fm6WkUI5/3WAVsNMw==
 
 word-wrap@^1.2.3:
-  version "1.2.3"
-  resolved "https://registry.yarnpkg.com/word-wrap/-/word-wrap-1.2.3.tgz#610636f6b1f703891bd34771ccb17fb93b47079c"
-  integrity sha512-Hz/mrNwitNRh/HUAtM/VT/5VH+ygD6DV7mYKZAtHOrbs8U7lvPS6xf7EJKMF0uW1KJCl0H701g3ZGus+muE5vQ==
+  version "1.2.5"
+  resolved "https://registry.yarnpkg.com/word-wrap/-/word-wrap-1.2.5.tgz#d2c45c6dd4fbce621a66f136cbe328afd0410b34"
+  integrity sha512-BN22B5eaMMI9UMtjrGd5g5eCYPpCPDUy0FJXbYsaT5zYxjFOckS53SQDE3pWkVoWpHXVb3BrYcEN4Twa55B5cA==
 
 word@~0.3.0:
   version "0.3.0"