Normalize the security contacts of the different repositories

[bjohansebas]

We should standardize the points of contact. For example, here https://github.com/webpack/webpack-dev-middleware/security it is set to contact webpack@opencollective.com, while in this other case https://github.com/webpack/webpack-cli/security it points to the email of the npm package maintainers.

Maybe it would be better to have a single security file in the .github repository, so we don’t have to maintain one file per repository. In some cases, I’ve seen they include a supported versions section — we could instead have a separate file in the security-wg repository with a list of those repositories and replicate the same table.

Also, I think there’s already another email for reports, right? webpack-security@openjsf.org

[avivkeller]

Refer to https://github.com/webpack/webpack/pull/19841/files for the planned communication channels for an incident response

[bjohansebas]

I created this script https://gist.github.com/bjohansebas/bfb18065f6c106e59c65572ae61baf63

The following repositories still have the SECURITY.md file:

• https://github.com/webpack/webpack-dev-middleware (we can remove the file and use the global security file)
  • docs: remove SECURITY.md file webpack-dev-middleware#2222
• https://github.com/webpack/loader-utils (we can remove the file and use the global security file)
  • docs: remove SECURITY.md file loader-utils#264
• https://github.com/webpack/webpack-cli
  • This is a special case, it has a special table of supported versions. Maybe we can reference the global security file and continue maintaining the table. What do you think?
    • docs: clarify security policy and reporting guidelines in SECURITY.md webpack-cli#4600

[alexander-akait]

https://github.com/webpack/loader-utils is deprecated, we don't need it anymore, webpack has the same loader context API

[alexander-akait]

Fixed