Security fixes are applied to the latest release line maintained in this repository. Use the newest compatible version and keep framework integrations (Laravel, Symfony) patched.

Please use the contact published in composer.json under support.security (GitHub Security Advisories / private report). Do not open public issues for undisclosed vulnerabilities.

• HMAC secret is mandatory when async execution is enabled. Configure a long, random secret (e.g. 32+ bytes from a CSPRNG, stored in a secret manager) and use the same value on every web/worker instance.
• Laravel: BATCH_ASYNC_MESSAGE_SECRET / batch_processing.async.message_secret.
• Symfony: batch_processing.async_launcher.message_secret.
• Restrict who can publish to the batch transport (network ACLs, broker credentials, IAM). The signature protects integrity on the transport; it does not replace transport access control.

• Running a batch job (Artisan / bin/console, HTTP-triggered launcher, or queue worker) executes application code registered for that job name. Treat job launch and parameter injection as privileged operations.
• Lock down Artisan / console in production; use deployment roles and avoid exposing launchers on untrusted networks without authentication.

• Do not build SQL for PaginatedPdoItemReader, LimitOffsetPagingQueryProvider, or similar APIs from untrusted input. Use static SQL and bound parameters only.
• UnsafeSqlQueryFragmentValidator is a heuristic helper, not a substitute for safe query design.
• When using optional allowedBaseDirectory on file readers/writers (including Symfony Serializer adapters), set it to a dedicated import/export directory to limit path traversal risk.

• Expressions resolved by ExpressionLanguageLateBindingResolver or SimpleLateBindingExpressionResolver must come from trusted configuration. Never pass raw user input. Be cautious when registering custom ExpressionLanguage functions.

• Job parameters, execution contexts, and exit messages may contain operational or personal data. Apply database encryption, minimal retention, and least-privilege database accounts as required by your compliance regime.

• Run composer audit regularly. This package lists roave/security-advisories in require-dev to block known-vulnerable dependency versions during development.