Improve score in OpenSSF Scorecard

[christophercr]

Hi,

First of all, thank you very much for creating this nice library! It's really awesome and a better alternative to Lodash, and I think that the nearly 14M+ downloads per week confirm that.

I just wanted to raise a topic, the fact that for some private projects that use this library, the security teams at some companies require that open source libraries meet some minimum requirements in terms of security. For this, a common tool to assess that is the OpenSSF Scorecard tool.

I've ran this tool with this repo and it got an aggregate score of 5.4 out of 10. These are the results in detail:

docker run -e GITHUB_AUTH_TOKEN=<some-token> gcr.io/openssf/scorecard:stable --repo=https://github.com/toss/es-toolkit
Status: Downloaded newer image for gcr.io/openssf/scorecard:stable
Starting [CII-Best-Practices]
Starting [Signed-Releases]
Starting [License]
Starting [CI-Tests]
Starting [Maintained]
Starting [Dependency-Update-Tool]
Starting [SAST]
Starting [Packaging]
Starting [Security-Policy]
Starting [Token-Permissions]
Starting [Vulnerabilities]
Starting [Dangerous-Workflow]
Starting [Code-Review]
Starting [Contributors]
Starting [Branch-Protection]
Starting [Fuzzing]
Starting [Pinned-Dependencies]
Starting [Binary-Artifacts]

Check scores:
Finished [Security-Policy]
Finished [Token-Permissions]
Finished [Vulnerabilities]
Finished [Dangerous-Workflow]
Finished [Code-Review]
Finished [Contributors]
Finished [Branch-Protection]
Finished [Fuzzing]
Finished [Pinned-Dependencies]
Finished [Binary-Artifacts]
Finished [CII-Best-Practices]
Finished [Signed-Releases]
Finished [License]
Finished [CI-Tests]
Finished [Maintained]
Finished [Dependency-Update-Tool]
Finished [SAST]
Finished [Packaging]

RESULTS
-------
Aggregate score: 5.4 / 10

SCORE	NAME	REASON	DOCUMENTATION/REMEDIATION
10 / 10	Binary-Artifacts	no binaries found in the repo	https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#binary-artifacts
5 / 10	Branch-Protection	branch protection is not maximal on development and all release branches	https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#branch-protection
8 / 10	CI-Tests	11 out of 13 merged PRs checked by a CI test -- score normalized to 8	https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#ci-tests
0 / 10	CII-Best-Practices	no effort to earn an OpenSSF best practices badge detected	https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#cii-best-practices
2 / 10	Code-Review	Found 8/27 approved changesets -- score normalized to 2	https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#code-review
10 / 10	Contributors	project has 51 contributing companies or organizations -- score normalized to 6	https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#contributors
10 / 10	Dangerous-Workflow	no dangerous workflow patterns detected	https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dangerous-workflow
10 / 10	Dependency-Update-Tool	update tool detected	https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dependency-update-tool
0 / 10	Fuzzing	project is not fuzzed	https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#fuzzing
9 / 10	License	license file detected	https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#license
10 / 10	Maintained	30 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10	https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#maintained
?	Packaging	packaging workflow not detected	https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#packaging
9 / 10	Pinned-Dependencies	dependency not pinned by hash detected -- score normalized to 9	https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#pinned-dependencies
0 / 10	SAST	SAST tool is not run on all commits -- score normalized to 0	https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#sast
10 / 10	Security-Policy	security policy file detected	https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#security-policy
0 / 10	Signed-Releases	Project has not signed or included provenance with any releases	https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#signed-releases
0 / 10	Token-Permissions	detected GitHub workflow tokens with excessive permissions	https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#token-permissions
0 / 10	Vulnerabilities	37 existing vulnerabilities detected	https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#vulnerabilities

So I believe there are some low hanging fruits that could be fixed to improve the score:

• pin dependencies to an exact version
• upgrade vulnerable dependencies, and some of them perhaps might be already fixed in the PRs open by dependabot
• ensure that the project's automated workflows tokens follow the principle of least privilege
• branch protection

IMHO this will be beneficial for everyone, as adoption of this library could increase even more specially in private projects, and consumers can be confident that they are using a library with good security measures.

WDYT?