We follow GSA's IT security policy to ensure the confidentiality, integrity, and availability of USWDS.

We use Snyk to find, fix, and prevent vulnerabilities in USWDS dependencies. We run Snyk checks locally during development and automatically on all pull requests.

We perform static analysis on our JavaScript on every pull requests with GitHub CodeQL.

We include a security and vulnerability report with every USWDS release, and release security patches for both the 1.x and 2.x branches.

We encourage you to verify the security and status of the USWDS package:

1. Check the vulnerability badge. Confirm the vulnerability badge in the USWDS Github code repository says there are 0 vulnerabilities.
2. Download the package via npm. We recommend using the npm package instead of the zip file, whenever possible. Using npm makes it easier to stay up-to-date and use the latest USWDS version as a project dependency, and is a secure and reliable way to download USWDS source code.

To learn more about our security practices or to report a security issue, please email us. If the issue is confirmed, we will release a patch as soon as possible.