fix: fix Inefficient regular expression, add security file and configure sonar cloud (#55)

* fix: potential fix for code scanning alert no. 3: Inefficient regular expression

* chore: fix regular expression

* chore: implement 'isValidHostname' for hostname validation

* docs: generate api doc for isValidHostname

* chore: add security file and configure sonar cloud

* chore: allow sonar to exclude .spec.ts file in the test coverage

---------

Co-authored-by: Mr Stone <pierre.evens16@gmail.com>

Author: evens-stone

.github/workflows/main.yml

@@ -15,6 +15,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
@@ -32,6 +34,10 @@ jobs:
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           slug: stonemjs/http-core
+      - name: SonarQube Scan
+        uses: SonarSource/sonarqube-scan-action@v5
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
   release-please:
     runs-on: ubuntu-latest

.github/workflows/pr.yml

@@ -4,6 +4,7 @@ on:
   pull_request:
     branches:
       - main
+    types: [opened, synchronize, reopened]
 
 permissions:
   contents: read
@@ -14,6 +15,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
@@ -25,4 +28,8 @@ jobs:
       - name: Run tests
         run: npm run test:cvg
       - name: Build library
-        run: npm run build
+        run: npm run build
+      - name: SonarQube Scan
+        uses: SonarSource/sonarqube-scan-action@v5
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.gitignore

@@ -76,10 +76,5 @@ pnpm-debug.log*
 *.sln
 *.sw?
 
-# Index
-index.html
-
-# Examples
-examples/
-
-README_docs.md
+# SonarLint (VSCode)
+.sonarlint/

README.md

@@ -6,7 +6,9 @@
 ![Maintenance](https://img.shields.io/maintenance/yes/2025)
 [![Build Status](https://github.com/stonemjs/http-core/actions/workflows/main.yml/badge.svg)](https://github.com/stonemjs/http-core/actions/workflows/main.yml)
 [![Publish Package to npmjs](https://github.com/stonemjs/http-core/actions/workflows/release.yml/badge.svg)](https://github.com/stonemjs/http-core/actions/workflows/release.yml)
+[![Quality gate](https://sonarcloud.io/api/project_badges/quality_gate?project=stonemjs_http-core)](https://sonarcloud.io/summary/new_code?id=stonemjs_http-core)
 [![codecov](https://codecov.io/gh/stonemjs/http-core/graph/badge.svg?token=5MKS9179YL)](https://codecov.io/gh/stonemjs/http-core)
+[![Security Policy](https://img.shields.io/badge/Security-Policy-blue.svg)](./SECURITY.md)
 [![CodeQL](https://github.com/stonemjs/http-core/actions/workflows/github-code-scanning/codeql/badge.svg)](https://github.com/stonemjs/http-core/security/code-scanning)
 [![Dependabot Status](https://img.shields.io/badge/Dependabot-enabled-brightgreen.svg)](https://github.com/stonemjs/http-core/network/updates)
 [![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-yellow.svg)](https://conventionalcommits.org)

SECURITY.md

@@ -0,0 +1,62 @@
+# Security Policy
+
+Thank you for your interest in the security of Stone.js. We take the security of our framework and its users seriously. 
+This document outlines the process for reporting vulnerabilities and our commitment to secure development.
+
+## Supported Versions
+
+We actively maintain and patch the latest stable release of Stone.js and its core packages.
+
+| Version   | Status                             |
+| --------- | ---------------------------------- |
+| `1.x`     | ✅ Actively maintained             |
+| `< 1.0.0` | ⚠️ Legacy, no guaranteed patches   |
+
+If you're using an older version and encounter a security issue, we encourage you to upgrade to the latest release.
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in Stone.js or any of its official packages, **please report it responsibly and privately**.
+
+### How to report
+
+- Email: **security@stonejs.com**
+- Subject: `Security Issue: [Your short description]`
+- Include:
+  - A detailed description of the vulnerability
+  - Steps to reproduce (if applicable)
+  - A suggested fix or patch (optional but appreciated)
+  - Affected versions and environments
+
+We will respond within **5 working days** and aim to provide a fix or mitigation within **30 days**, depending on severity.
+
+## Our Commitment
+
+We commit to:
+
+- Promptly investigate and validate reports
+- Keep reporters informed of the resolution progress
+- Publicly disclose confirmed vulnerabilities **after a fix is available**, with appropriate credit (unless anonymity is requested)
+- Maintain secure coding standards and regular dependency audits using:
+  - [GitHub CodeQL](https://codeql.github.com/)
+  - [Dependabot](https://github.com/dependabot)
+
+## Disclosure Policy
+
+We follow a **coordinated disclosure** policy:
+
+- Vulnerabilities are not published until a fix is available.
+- CVE identifiers will be requested when applicable.
+- Security-related changes are clearly documented in release notes and changelogs.
+
+## Acknowledgements
+
+We deeply appreciate the responsible security researchers and users who help keep Stone.js secure.
+
+If you’d like to contribute to security audits, penetration testing, or analysis of Stone.js internals, feel free to reach out via [security@stonejs.com](mailto:security@stonejs.com).
+
+## Thank You
+
+Security is a shared responsibility, thank you for helping make Stone.js safer for everyone.
+
+— The Stone.js Team