Open-source release security checklist
Before you publish your repo, your npm package, or your PyPI library — run this checklist. Covers history, secrets, dependencies, provenance.
For: Anyone releasing open-source code or packages
Repository
- Full git history scanned for secrets (not just HEAD)critical
- No customer data in commits
- SECURITY.md present with disclosure contact
Dependencies
- No deprecated or unmaintained direct deps
- Lock file committed
- License compatibility verified
Publishing
- 2FA required for publishcritical
- Automation token used (not personal)
- Provenance attestation emitted (Sigstore / SLSA)
- Release notes without exploit details (for security fixes, coordinate disclosure)