We actively support the following versions of Prompt Weaver with security updates:

We take security vulnerabilities seriously. If you discover a security vulnerability, please follow these steps:

Security vulnerabilities should be reported privately to prevent exploitation.

please contact our admins in telegram @IQAICOM

Include the following information in your report:

• Type of vulnerability (e.g., XSS, injection, etc.)
• Affected component (e.g., template rendering, validation, etc.)
• Steps to reproduce the vulnerability
• Potential impact of the vulnerability
• Suggested fix (if you have one)

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Timeline: Depends on severity (see below)

We use the following severity levels:

• Critical: Remote code execution, authentication bypass, data exposure

  • Response: Immediate (within 24 hours)
  • Fix: As soon as possible (typically within 7 days)

• High: Privilege escalation, significant data leakage

  • Response: Within 48 hours
  • Fix: Within 14 days

• Medium: Information disclosure, denial of service

  • Response: Within 7 days
  • Fix: Within 30 days

• Low: Minor information disclosure, best practice violations

  • Response: Within 14 days
  • Fix: Next regular release

• We will acknowledge receipt of your report within 48 hours
• We will keep you informed of the progress toward resolving the issue
• We will notify you when the vulnerability is fixed
• We will credit you in the security advisory (unless you prefer to remain anonymous)

• Confirmation: You'll receive confirmation that we've received your report
• Updates: Regular updates on the status of the vulnerability
• Credit: Recognition for responsible disclosure (if desired)
• Fix: A patch addressing the vulnerability

When using Prompt Weaver, please follow these security best practices:

• Never render user-provided templates without validation
• Sanitize user input before passing it to templates
• Validate template variables before rendering
• Use the built-in validation utilities

• Always validate data before rendering templates
• Use TypeScript types for type safety
• Use Standard Schema validation (Zod, Valibot, ArkType) for runtime validation
• The format() method automatically validates when a schema is provided

import { PromptWeaver, SchemaValidationError } from "@iqai/prompt-weaver";
import { z } from "zod";

// ✅ Good: Validate and sanitize user input
const userInput = sanitizeUserInput(rawUserInput);

// ✅ Good: Define schema for validation
const schema = z.object({
  name: z.string().min(1),
  age: z.number().positive(),
});

// ✅ Good: Create weaver with schema - format() automatically validates
const weaver = new PromptWeaver(template, { schema });

// ✅ Good: format() automatically validates and throws SchemaValidationError if invalid
try {
  const output = weaver.format(userInput);
} catch (error) {
  if (error instanceof SchemaValidationError) {
    console.error("Validation failed:", error.issues);
  }
}

// ❌ Bad: Rendering untrusted user input directly
const weaver = new PromptWeaver(userProvidedTemplate);
const output = weaver.format(unvalidatedUserData);

Prompt Weaver uses Handlebars for template rendering. While Handlebars is designed to prevent code execution, you should:

• Never render templates from untrusted sources
• Validate all template variables
• Use the built-in validation features

When rendering templates that will be displayed in HTML:

• Always escape HTML content appropriately
• Use proper sanitization libraries for HTML output
• Never trust user-provided template content

Security updates will be:

• Released as patch versions (e.g., 0.1.1 → 0.1.2)
• Documented in the CHANGELOG.md
• Announced via GitHub security advisories (if applicable)

If you have questions about security, please:

• Review this security policy
• Check existing security advisories
• Contact the maintainers privately

Thank you for helping keep Prompt Weaver secure! 🔒