🩹 Security Patch Process

1. Purpose

This document outlines Nemu Inc.’s process for identifying, evaluating, and applying security patches to systems, applications, and dependencies.

Includes:

Node.js and related runtime dependencies used by Nemu Inc.’s APIs and Next.js applications.
Application dependencies managed via npm / pnpm.
Runtime environments managed by Render and Supabase.

Supabase and Render are responsible for patching underlying infrastructure, operating systems, and managed services.
Nemu Inc. monitors provider communications for security advisories or changes that may impact applications.

For application code and libraries:

Cloud Provider Native Patching Render.com infrastructure automatically applies OS-level and container-level security updates on the underlying systems.
Container Rebuild Pipeline (CI/CD) Application images are rebuilt through GitHub Actions, which ensures:
- Latest base images
- Updated dependencies
- Patched runtimes (Node.js, Bun, Debian/Ubuntu base layers)
- Deepsource audits
Dependency Vulnerability Scanning GitHub Dependabot alerts are used to detect and prompt upgrades for vulnerable npm/Bun packages.

Identification:
- Receive alerts from dependency scanning tools or advisories.
Assessment:
- Evaluate severity and affected components.
- Vendor security advisories (Apple, Microsoft, Linux distributions).
- Software provider notifications.
Implementation:
- Update dependencies or runtime versions.
- Run automated tests and regression checks.
- Standard-risk patches applied during regular release cycles.
Deployment:
- Deploy patched versions via CI/CD pipelines to staging and then production.
Verification:
- Confirm application health and logs after deployment.