photostructure
diff --git a/‎.github/ISSUE_TEMPLATE/security-report.md‎
Lines changed: 39 additions & 0 deletions b/‎.github/ISSUE_TEMPLATE/security-report.md‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎.github/workflows/security.yml‎
Lines changed: 168 additions & 0 deletions b/‎.github/workflows/security.yml‎
Lines changed: 168 additions & 0 deletions
diff --git a/‎.osv-scanner.toml‎
Lines changed: 15 additions & 0 deletions b/‎.osv-scanner.toml‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎.snyk‎
Lines changed: 24 additions & 0 deletions b/‎.snyk‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎.trufflehog-exclude.txt‎
Lines changed: 13 additions & 0 deletions b/‎.trufflehog-exclude.txt‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 33 additions & 3 deletions b/‎README.md‎
Lines changed: 33 additions & 3 deletions
@@ -0,0 +1,39 @@
+---
+name: Security Vulnerability Report
+about: Report a security vulnerability (for non-sensitive issues only)
+title: '[SECURITY] '
+labels: security
+assignees: ''
+---
+
+<!--
+⚠️ IMPORTANT: For sensitive security vulnerabilities, please DO NOT use this public issue tracker.
+Instead, email us at security@photostructure.com
+
+This template is only for:
+- Non-sensitive security concerns
+- Security feature requests
+- Questions about security practices
+-->
+
+## Description
+
+A clear and concise description of the security concern.
+
+## Impact
+
+Describe the potential impact if this issue is not addressed.
+
+## Steps to Reproduce (if applicable)
+
+1. Step 1
+2. Step 2
+3. ...
+
+## Suggested Fix
+
+If you have suggestions on how to address this issue, please describe them here.
+
+## Additional Context
+
+Add any other context about the security concern here.
@@ -0,0 +1,168 @@
+name: Security Scanning
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Run security scan weekly on Monday at 9am UTC
+    - cron: '0 9 * * 1'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  npm-audit:
+    name: NPM Audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: 'npm'
+
+      - name: Run npm audit
+        run: |
+          npm audit --production --audit-level=moderate || true
+          npm audit --audit-level=moderate
+
+  snyk:
+    name: Snyk Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --severity-threshold=medium
+        continue-on-error: true # Don't fail the build if vulnerabilities are found
+
+      - name: Upload Snyk results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: snyk.sarif
+
+  osv-scanner:
+    name: OSV Scanner
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run OSV Scanner
+        uses: google/osv-scanner-action@v1.8.3
+        with:
+          scan-args: |-
+            --recursive
+            .
+
+  codeql-javascript:
+    name: CodeQL JavaScript/TypeScript Analysis
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: javascript-typescript
+          queries: security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+
+  codeql-cpp:
+    name: CodeQL C++ Analysis
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Setup build environment
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y python3 make g++ gcc
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: cpp
+          queries: security-and-quality
+
+      - name: Build C++ code
+        run: npm run node-gyp-rebuild
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+
+
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: moderate
+          deny-licenses: AGPL-3.0, GPL-3.0
+
+  secrets-scan:
+    name: Secrets Scanning
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: TruffleHog OSS
+        uses: trufflesecurity/trufflehog@main
+        with:
+          path: ./
+          base: ${{ github.event.repository.default_branch }}
+          head: HEAD
+          extra_args: --exclude-paths .trufflehog-exclude.txt --only-verified
+        continue-on-error: true
+
+  summary:
+    name: Security Summary
+    runs-on: ubuntu-latest
+    needs: [npm-audit, snyk, osv-scanner, codeql-javascript, codeql-cpp, secrets-scan]
+    if: always()
+    steps:
+      - name: Summary
+        run: |
+          echo "## Security Scan Summary" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Check | Status |" >> $GITHUB_STEP_SUMMARY
+          echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY
+          echo "| NPM Audit | ${{ needs.npm-audit.result }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| Snyk | ${{ needs.snyk.result }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| OSV Scanner | ${{ needs.osv-scanner.result }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| CodeQL JS/TS | ${{ needs.codeql-javascript.result }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| CodeQL C++ | ${{ needs.codeql-cpp.result }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| Secrets Scan | ${{ needs.secrets-scan.result }} |" >> $GITHUB_STEP_SUMMARY
@@ -0,0 +1,15 @@
+# OSV Scanner Configuration
+# https://google.github.io/osv-scanner/configuration/
+
+[[IgnoredVulns]]
+# Add any false positives or accepted risks here
+# id = "GHSA-xxx"
+# reason = "This vulnerability doesn't affect our usage"
+
+[PackageOverrides]
+# Override package information if needed
+# [[PackageOverrides.entry]]
+# name = "package-name"
+# ecosystem = "npm"
+# ignore = true
+# reason = "Dev dependency only"
@@ -0,0 +1,24 @@
+# Snyk (https://snyk.io) policy file
+version: v1.25.0
+
+# Ignore specific vulnerabilities
+ignore: {}
+
+# Patches to apply
+patch: {}
+
+# Language settings
+language-settings:
+  node-js:
+    enableLicensesScan: true
+    
+# Project settings  
+exclude:
+  global:
+    - "benchmark/**"
+    - "vendored/**"
+    - "dist/**"
+    - "test/**"
+    - "scripts/**"
+    - "*.test.ts"
+    - "*.test.js"
@@ -0,0 +1,13 @@
+node_modules/
+dist/
+build/
+vendored/
+prebuilds/
+\.min\.js$
+\.map$
+package-lock\.json
+benchmark/node_modules/
+coverage/
+\.git/
+\.(jpg|jpeg|png|gif|ico|svg|webp)$
+\.(woff|woff2|ttf|eot)$
@@ -138,6 +138,8 @@ await db.backup("./other-backup.db", {
 
 ### Session-based Change Tracking
 
+SQLite's session extension allows you to record changes and apply them to other databases - perfect for synchronization, replication, or undo/redo functionality. This feature is available in both `node:sqlite` and `@photostructure/sqlite`, but not in better-sqlite3.
+
 ```typescript
 // Create a session to track changes
 const session = db.createSession({ table: "users" });
@@ -149,7 +151,7 @@ db.prepare("INSERT INTO users (name, email) VALUES (?, ?)").run(
   "bob@example.com",
 );
 
-// Get the changes
+// Get the changes as a changeset
 const changeset = session.changeset();
 session.close();
 
@@ -201,7 +203,7 @@ This package provides performance comparable to Node.js's built-in SQLite and be
 
 - **Synchronous operations** - No async/await overhead
 - **Direct C library access** - Minimal JavaScript ↔ native boundary crossings
-- **Full SQLite features** - FTS5, JSON functions, R\*Tree indexes, math functions, session extension
+- **Full SQLite features** - FTS5, JSON functions, R\*Tree indexes, math functions, session extension (including changesets)
 
 Performance is quite similar to node:sqlite and better-sqlite3, while significantly faster than async sqlite3 due to synchronous operations.
 
@@ -236,7 +238,7 @@ _The official SQLite module included with Node.js 22.5.0+ (experimental)_
 - **Zero dependencies** — Built directly into Node.js
 - **Official support** — Maintained by the Node.js core team
 - **Clean synchronous API** — Simple, predictable blocking operations
-- **Full SQLite power** — FTS5, JSON functions, R\*Tree, and more
+- **Full SQLite power** — FTS5, JSON functions, R\*Tree, sessions/changesets, and more
 
 **⚠️ Cons:**
 
@@ -259,13 +261,15 @@ _The most popular high-performance synchronous SQLite library_
 - **Blazing fast** — 2-15x faster than async alternatives
 - **Rock-solid stability** — Battle-tested in thousands of production apps
 - **Rich feature set** — User functions, aggregates, virtual tables, extensions
+- **Extensive community** — Large ecosystem with many resources
 
 **⚠️ Cons:**
 
 - **Different API** — Not compatible with Node.js built-in SQLite
 - **V8-specific** — Requires separate builds for each Node.js version
 - **Synchronous only** — No async operations (usually a feature, not a bug)
 - **Migration effort** — Switching from other libraries requires code changes
+- **No session support** — Doesn't expose SQLite's session/changeset functionality
 
 **🎯 Best for:** High-performance applications where you want maximum speed and control over the API.
 
@@ -306,6 +310,7 @@ _The original asynchronous SQLite binding for Node.js_
 - ✅ **Synchronous performance** with a clean, official API
 - ✅ **Node-API stability** — one build works across Node.js versions
 - ✅ **Zero migration path** when `node:sqlite` becomes stable
+- ✅ **Session/changeset support** for replication and synchronization
 
 ### Choose **`better-sqlite3`** when you want:
 
@@ -352,6 +357,31 @@ See [TODO.md](./TODO.md) for the complete feature list and future enhancements.
 - 📋 Additional platform-specific optimizations
 - 📋 Enhanced debugging and profiling tools
 
+## Security
+
+This project takes security seriously and employs multiple layers of protection:
+
+- **Automated scanning**: npm audit, Snyk, OSV Scanner, CodeQL (JS/TS and C++), and TruffleHog
+- **Weekly security scans**: Automated checks for new vulnerabilities
+- **Rapid patching**: Security fixes are prioritized and released quickly
+- **Memory safety**: Validated through ASAN, valgrind, and comprehensive testing
+
+### Running Security Scans Locally
+
+```bash
+# Install security tools (OSV Scanner, better-npm-audit, etc.)
+npm run security:setup
+
+# Run all security scans
+npm run security
+
+# Run individual scans
+npm run security:audit  # npm audit
+npm run security:osv    # OSV Scanner (requires Go)
+```
+
+For details, see our [Security Policy](./SECURITY.md). To report vulnerabilities, please email security@photostructure.com.
+
 ## License
 
 MIT License - see [LICENSE](./LICENSE) for details.