🔧 update lint configuration, clean up package.json, fix minor issues

ctcpip · ctcpip · commit 502b8cd3b7ba · 2025-07-24T15:24:01.000-05:00
Signed-off-by: ctcpip &lt;ctcpip@users.noreply.github.com&gt;
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
@@ -1,53 +1,27 @@
----
-#################################
-#################################
-## Super Linter GitHub Actions ##
-#################################
-#################################
-name: Lint Code Base
+name: 'Lint Markdown'
 
-#############################
-# Start the job on all push #
-#############################
 on:
   push:
-    branches: [main]
   pull_request:
-    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
 
-###############
-# Set the Job #
-###############
 jobs:
-  build:
-    # Name the Job
-    name: Lint Markdown
-    # Set the agent to run on
+  lint:
+    name: Lint
     runs-on: ubuntu-latest
-
-    ##################
-    # Load all steps #
-    ##################
     steps:
-      ##########################
-      # Checkout the code base #
-      ##########################
-      - name: Checkout Code
-        uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
-          # Full git history is needed to get a proper
-          # list of changed files within `super-linter`
-          fetch-depth: 0
+          persist-credentials: false
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 'lts/*'
+
+      - name: Install dependencies
+        run: npm install --ignore-scripts --include=dev
 
-      ############################################
-      # Run Linter against Markdown in code base #
-      ############################################
-      - name: Lint Markdown
-        uses: github/super-linter@v4
-        env:
-          VALIDATE_ALL_CODEBASE: false
-          DEFAULT_BRANCH: main
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          VALIDATE_MARKDOWN: true
-          LINTER_RULES_PATH: /
-          MARKDOWN_CONFIG_FILE: .markdownlint.yml
+      - name: Run lint
+        run: npm test
diff --git a/.markdownlint-cli2.jsonc b/.markdownlint-cli2.jsonc
@@ -0,0 +1,11 @@
+{
+  "globs": [
+    "**/*.md"
+  ],
+  "ignores": [
+    "node_modules",
+    "docs/meeting-notes/202[0-3]*.md",
+    "docs/SIREN",
+    "docs/TTX"
+  ]
+}
diff --git a/.npmrc b/.npmrc
@@ -0,0 +1 @@
+package-lock=false
diff --git a/README.md b/README.md
@@ -4,18 +4,21 @@
 
 The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication.
 
-The Vulnerability Disclosure Working group is officially a [Graduated-level](https://github.com/ossf/tac/blob/main/process/working-group-lifecycle.md) working group within the OpenSSF <img align="right" src="https://github.com/ossf/tac/blob/main/files/images/OpenSSF_StagesBadges_graduated.png" width="100" height="100">>
+The Vulnerability Disclosure Working group is officially a [Graduated-level](https://github.com/ossf/tac/blob/main/process/working-group-lifecycle.md) working group within the OpenSSF <img alt="openssf gradtuated WG" align="right" src="https://github.com/ossf/tac/blob/main/files/images/OpenSSF_StagesBadges_graduated.png" width="100" height="100"><!-- markdownlint-disable-line MD033 -->
 
-<img align="right" src="https://github.com/ossf/wg-vulnerability-disclosures/blob/main/ossf-goose-vuln.png" width="300" height="300"><!-- markdownlint-disable-line MD033 -->
+<img alt="OpenSSF Vulnerability Disclosures Working Group logo" align="right" src="https://github.com/ossf/wg-vulnerability-disclosures/blob/main/ossf-goose-vuln.png" width="300" height="300"><!-- markdownlint-disable-line MD033 -->
 
 ## **Mission**
+
 The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping develop and advocate well-managed vulnerability reporting and communication. We serve open source maintainers and developers, assist security researchers, and help downstream open source software consumers.
 
 ## **Vision**
+
 A world where coordinated vulnerability disclosure is a normal, easy, and expected process that is supported by guidance, automation, and tooling for maintainers, consumers, researchers, and vendors, with the goal of making open source software and the open source software supply chain more secure for everyone.
 
 A world where coordinated vulnerability disclosure is:
--  a common, easy, and expected process
+
+- a common, easy, and expected process
 - supported by well-documented guidance, automation, and tooling for open source maintainers and consumers, security researchers, and vendors
 - with the goal of making open source software and supply chains more secure for everyone.
 
@@ -43,7 +46,7 @@ We plan on addressing this challenge through the following actions:
 
 ## **Current work**
 
-<img align="right" src="https://github.com/ossf/wg-vulnerability-disclosures/blob/main/ossf-vuln-wg.png" width="400" height="400"><!-- markdownlint-disable-line MD033 -->
+<img alt="diagram of current work" align="right" src="https://github.com/ossf/wg-vulnerability-disclosures/blob/main/ossf-vuln-wg.png" width="400" height="400"><!-- markdownlint-disable-line MD033 -->
 
 - [Guides to coordinated vulnerability disclosure for open source software projects](https://github.com/ossf/oss-vulnerability-guide) to assist projects in handling vulnerabilities.
 - [Open Source Vulnerability Schema](https://github.com/ossf/osv-schema) - see also [osv.dev](https://osv.dev).
diff --git a/SECURITY.md b/SECURITY.md
@@ -9,4 +9,4 @@ If you've been unable to find a way to report it,
 or have received no response after repeated attempts, please contact the
 OpenSSF security contact email, security @ openssf . org.
 
-Thank you.
+Thank you.
diff --git a/docs/guides/becoming-a-cna-as-an-open-source-org-or-project.md b/docs/guides/becoming-a-cna-as-an-open-source-org-or-project.md
@@ -2,7 +2,7 @@
 
 > **NOTE:**
 > This document was drafted using the following document revisions:
-> 
+>
 > * CVE Numbering Authority (CNA) Rules, Version 3.0
 > * CVE Record Dispute Policy, Version 1.0
 > * CVE Program Policy and Procedure for End of Life Products, Version 1.2
@@ -106,7 +106,7 @@ Optionally have the answers to this information:
 If you don't want Red Hat to be your Root you can contact any other Root (search "Root" in the [list of CNAs](https://www.cve.org/PartnerInformation/ListofPartners)).
 
 > [!TIP]
-> A [Root CNA](https://www.cve.org/ResourcesSupport/Glossary#glossaryRoot) is an organization authorized within the CVE Program that is responsible, within a specific Scope, for the recruitment, training, and governance of one or more entities that are a CNA, CNA-LR, or another Root. Red Hat became a Root CNA to develop governance focusing on **open source software (OSS)** needs. Red Hat uses this approach to invite the community to create unique and different aspects of OSS for the CVE Program to consider. For example, as a Root CNA, Red Hat has created opportunities for CNAs to collaborate with other projects and communities, has championed OSS automated tooling improvements within the Program, and has successfully helped OSS projects like [curl](https://curl.se/docs/CVE-2023-52071.html) navigate CVE complexities. Learn more [here](https://access.redhat.com/articles/red_hat_cve_program) & [here](https://github.com/ossf/wg-vulnerability-disclosures/issues/157#issuecomment-2545939617) about Red Hat's engagement with CVE.
+> A [Root CNA](https://www.cve.org/ResourcesSupport/Glossary#glossaryRoot) is an organization authorized within the CVE Program that is responsible, within a specific Scope, for the recruitment, training, and governance of one or more entities that are a CNA, CNA-LR, or another Root. Red Hat became a Root CNA to develop governance focusing on **open source software (OSS)** needs. Red Hat uses this approach to invite the community to create unique and different aspects of OSS for the CVE Program to consider. For example, as a Root CNA, Red Hat has created opportunities for CNAs to collaborate with other projects and communities, has championed OSS automated tooling improvements within the Program, and has successfully helped OSS projects like [curl](https://curl.se/docs/CVE-2023-52071.html) navigate CVE complexities. Learn more about [Red Hat's CVE Program](https://access.redhat.com/articles/red_hat_cve_program) and their [engagement with open source](https://github.com/ossf/wg-vulnerability-disclosures/issues/157#issuecomment-2545939617).
 
 You can always ask your prospective Root questions about the process of becoming and operating a CNA - they will be an excellent resource to you.
 
diff --git a/members.md b/members.md
@@ -42,7 +42,6 @@ Current Active Members
 - Timur Snoke, CERT/CC
 - Laurie Tyzenhaus, CERT/CC
 
-
 ## Hall of Fame
 
 Former Vulnaut contributors that are always welcome!
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
