diff --git a/README.md b/README.md index 3c6f1b0..4802df5 100644 --- a/README.md +++ b/README.md @@ -816,15 +816,15 @@ Use low-level libraries & languages. Nonetheless we're targetting algorithmic co ### Supply chain security -1. **Commits** are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures. -2. **Releases** are transparent and built on GitHub CI. Make sure to verify [provenance](https://docs.npmjs.com/generating-provenance-statements) logs -3. **Rare releasing** is followed. +* **Commits** are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures. +* **Releases** are transparent and built on GitHub CI. Make sure to verify [provenance](https://docs.npmjs.com/generating-provenance-statements) logs +* **Rare releasing** is followed. The less often it is done, the less code dependents would need to audit -4. **Dependencies** are minimal: +* **Dependencies** are minimal: - All deps are prevented from automatic updates and have locked-down version ranges. Every update is checked with `npm-diff` - Updates themselves are rare, to ensure rogue updates are not catched accidentally - One dependency [noble-hashes](https://github.com/paulmillr/noble-hashes) is used, by the same author, to provide hashing functionality -5. devDependencies are only used if you want to contribute to the repo. They are disabled for end-users: +* **Dev Dependencies** are only used if you want to contribute to the repo. They are disabled for end-users: - scure-base, scure-bip32, scure-bip39, micro-bmark and micro-should are developed by the same author and follow identical security practices - prettier (linter), fast-check (property-based testing) and typescript are used for code quality, vector generation and ts compilation. The packages are big, which makes it hard to audit their source code thoroughly and fully