Good commit hygiene in general is a tough thing to enforce. It requires manual labor and descipline, from both the author and the reviewer.

in the absence of an immediate need, it is simpler to leave out error handling until a final .catch() statement.

When sanitizing, protecting or verifying something, prefer whitelists over blacklists.

in order to track the always-improving upstream project, we continuously rebase our patches on top of the upstream master

it reminds me of IT security best practices. Based on experience and the lessons we have learned in the history of IT security, we have come up with some basic rules that, when followed, go a long way to preventing serious problems later.

The fact is that it doesn’t matter if you can see the threat or not, and it doesn’t matter if the flaw ever leads to a vulnerability. You just always follow the core rules and everything else seems to fall into place.

Remove upper bound in our dependencies Doing this we are only asking people to fork our gem or open issues when they want to use a new version of the dependency and we still didn't tested with it.

I usually write example code that is for both Chrome and Firefox WebExtensions.