FeatureDrop docs are live. Start with the 10-minute quickstart.
Docs
CLI + CI
Security Checks

Security Checks

FeatureDrop includes layered safeguards for source code and manifest content.

Recommended order

pnpm typecheck
pnpm security-check
npx featuredrop validate --pattern "features/**/*.md"
pnpm test
pnpm build
pnpm size-check

Layer 1: Static source audit

pnpm security-check

Scans for risky patterns:

PatternRisk
eval(...)Arbitrary code execution
new Function(...)Arbitrary code execution
direct .innerHTML = ...XSS vector
non-allowlisted dangerouslySetInnerHTMLXSS vector

Layer 2: Manifest safety

npx featuredrop validate --pattern "features/**/*.md"

Checks include:

  • URL safety for url, image, cta.url
  • Duplicate IDs
  • Dependency cycles
  • Date ordering (showNewUntil after releasedAt)
  • Unsafe metadata keys
⚠️

If you build custom headless renderers and use dangerouslySetInnerHTML, sanitize content explicitly.

Layer 3: GitHub security workflows

  • .github/workflows/ci.yml runs pnpm security-check
  • .github/workflows/codeql.yml runs CodeQL scans

Report vulnerabilities via GitHub Security Advisories. See SECURITY.md (opens in a new tab).

CI UtilitiesDocs Analytics