Proposing index.json for /vuln/core and /vuln/npm

I’d like to propose the addition of an index.json file for both /vuln/core and /vuln/npm, which can be automatically generated by a tool. Currently, this tool doesn’t exist, but I’m more than happy to create it and PR it into the repository’s /tools directory.

Why

I’ve previously worked on a project that consumed the data in this repository. To be able to parse the Node.js core data and operate on it, we had to put together all of the JSON files on our end and create a single index file. This is what was suggested in the previous discussion around a central file, but in practice it causes a non-trivial amount of overhead in terms of code (ref: 1, 2) that is needed to pull this data that is already provided, but it was in a significantly less optimal format than if it just already existed from the project.

Additionally there are multiple bits of ecosystem tooling that I would like to start working on, but would rather have a centralized/blessed source of this data accessible to the world from the Security WG than having to re-invent the wheel as an independent npm module that adds additional dependencies to users’ dependency trees or as code I keep in my apps.

Use Cases:

Here are some examples of what I’m interested in working on around this space. Not sure I can get to all of them myself, but I’m happy to knock out as many as possible once this data is available Happy to do any of them in conjunction

• Public APIs
  • A public API (just raw JSON) that declares just the minimum secure version of each active release line, via JSON.
  • A public API (just raw JSON) that surfaces minimum secure versions of all modules that have a vulnerability, via JSON.
• A Probot (GitHub Apps) app to automatically update engines, .nvmrc, .node-version, Dockerfile, and any other versioning tooling to reflect the minimum secure version of Node.js.