About
Security
Developing and using USWDS with security in mind
Our security policies and procedures
We follow GSA’s IT security policy to ensure the confidentiality, integrity, and availability of USWDS.
We use Snyk to find, fix, and prevent vulnerabilities in USWDS dependencies. We run Snyk checks locally during development and automatically on all pull requests.
We perform static analysis on our JavaScript on every pull requests with GitHub CodeQL.
We include a security and vulnerability report with every USWDS release, and release security patches for both the 1.x and 2.x branches.
Using USWDS securely
We encourage you to verify the security and status of the USWDS package:
- Check the vulnerability badge. Confirm the vulnerability badge in the USWDS Github code repository says there are
0
vulnerabilities. - Download the package via npm. We recommend using the npm package instead of the zip file, whenever possible. Using npm makes it easier to stay up-to-date and use the latest USWDS version as a project dependency, and is a secure and reliable way to download USWDS source code.
Report a security issue
To learn more about our security practices or to report a security issue, please email us. If the issue is confirmed, we will release a patch as soon as possible.
Verifying ZIP release hash
The /security
directory in the USWDS repo contains SHA-256 hashes for each USWDS hashed release ZIP file. Use these hashes to verify the authenticity of USWDS release ZIP files. Compare our SHA-256 hash with the hash you generate from the ZIP you wish to test.
You can also find the SHA-256 hash for the current release on the Download page.
OSX/Linux: Use the sha256sum
command in a terminal window. (Replace the path with the path to the file you wish to test.)
sha256sum path/to/filename.zip
Windows: Open up PowerShell and run the following command. (Replace the path with the path to the file you wish to test.)
powershell get-filehash -algorithm sha256 .\path\to\filename.zip
Security updates
-
Sanitized Combo Box content
As of USWDS 2.12.1, the design system automatically sanitizes content passed into the Combo Box.
-
Automatic sanitizing for all JavaScript components
As of USWDS 2.12.2, the design system automatically sanitizes content in all components we compose with JavaScript.
Latest updates
Meaningful code and guidance updates are listed in the following table:
Date | Description |
---|---|
2021-11-05 |
Added security updates section. More information: uswds-site#1304 |