| Version | Supported |
|---|---|
| 0.0.x | ✅ |
As the project matures, this table will be updated to reflect which release lines receive security patches.
Do not open a public GitHub issue for security vulnerabilities.
- Use GitHub's private vulnerability reporting feature on the NogginLessDom repository, or
- Email the maintainers at the address listed in the repository's contact information.
- A clear description of the vulnerability and its potential impact.
- Detailed steps to reproduce the issue (proof of concept if possible).
- The affected version(s) and environment (OS, Node.js version, Bun version).
- Any suggested mitigation or fix (optional but appreciated).
- Acknowledgment -- We will acknowledge receipt of your report within 48 hours.
- Triage -- An initial assessment and severity rating will be provided within 5 business days.
- Fix Development -- A patch will be developed privately. Critical vulnerabilities are targeted for resolution within 30 days; lower severity issues within 90 days.
- Coordinated Disclosure -- Once a fix is released, we will publish a security advisory crediting the reporter (unless anonymity is requested).
- CVE Assignment -- For qualifying vulnerabilities, we will request a CVE identifier.
The following areas are in scope for security reports:
- Supply chain integrity -- NogginLessDom has zero third-party runtime dependencies by design. Any issue that could compromise this guarantee is critical.
- DOM parsing safety -- Prevention of XSS, injection, or prototype pollution through the DOM simulation layer.
- Test isolation -- Ensuring test environments cannot leak state, credentials, or filesystem access beyond their sandbox.
- Build pipeline -- Vulnerabilities in CI/CD workflows, Makefile targets, or release processes.
- Vulnerabilities in dev dependencies (report those to the upstream project).
- Issues requiring physical access to the machine running tests.
- Social engineering attacks.
NogginLessDom is built with security as a first-class concern:
- Zero runtime dependencies -- Eliminates the supply chain attack surface entirely.
- Node.js built-ins only -- Relies exclusively on
node:test,node:assert, and standard APIs. - No eval or dynamic code execution -- DOM parsing never uses
eval(),Function(), or similar constructs. - Strict input validation -- All HTML/DOM inputs are validated and sanitized.
- Regular CodeQL analysis -- Automated static analysis runs on every push and on a weekly schedule.
- Dependabot monitoring -- Dev dependencies are monitored for known vulnerabilities with weekly checks.
- Minimal permissions -- CI workflows use least-privilege principles.