Skip to content

Security: asymmetric-effort/NogginLessDom

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
0.0.x

As the project matures, this table will be updated to reflect which release lines receive security patches.

Reporting a Vulnerability

Do not open a public GitHub issue for security vulnerabilities.

How to Report

  1. Use GitHub's private vulnerability reporting feature on the NogginLessDom repository, or
  2. Email the maintainers at the address listed in the repository's contact information.

What to Include

  • A clear description of the vulnerability and its potential impact.
  • Detailed steps to reproduce the issue (proof of concept if possible).
  • The affected version(s) and environment (OS, Node.js version, Bun version).
  • Any suggested mitigation or fix (optional but appreciated).

Disclosure Process

  1. Acknowledgment -- We will acknowledge receipt of your report within 48 hours.
  2. Triage -- An initial assessment and severity rating will be provided within 5 business days.
  3. Fix Development -- A patch will be developed privately. Critical vulnerabilities are targeted for resolution within 30 days; lower severity issues within 90 days.
  4. Coordinated Disclosure -- Once a fix is released, we will publish a security advisory crediting the reporter (unless anonymity is requested).
  5. CVE Assignment -- For qualifying vulnerabilities, we will request a CVE identifier.

Scope

The following areas are in scope for security reports:

  • Supply chain integrity -- NogginLessDom has zero third-party runtime dependencies by design. Any issue that could compromise this guarantee is critical.
  • DOM parsing safety -- Prevention of XSS, injection, or prototype pollution through the DOM simulation layer.
  • Test isolation -- Ensuring test environments cannot leak state, credentials, or filesystem access beyond their sandbox.
  • Build pipeline -- Vulnerabilities in CI/CD workflows, Makefile targets, or release processes.

Out of Scope

  • Vulnerabilities in dev dependencies (report those to the upstream project).
  • Issues requiring physical access to the machine running tests.
  • Social engineering attacks.

Security Design Principles

NogginLessDom is built with security as a first-class concern:

  1. Zero runtime dependencies -- Eliminates the supply chain attack surface entirely.
  2. Node.js built-ins only -- Relies exclusively on node:test, node:assert, and standard APIs.
  3. No eval or dynamic code execution -- DOM parsing never uses eval(), Function(), or similar constructs.
  4. Strict input validation -- All HTML/DOM inputs are validated and sanitized.
  5. Regular CodeQL analysis -- Automated static analysis runs on every push and on a weekly schedule.
  6. Dependabot monitoring -- Dev dependencies are monitored for known vulnerabilities with weekly checks.
  7. Minimal permissions -- CI workflows use least-privilege principles.
Learn more about advisories related to asymmetric-effort/NogginLessDom in the GitHub Advisory Database