We take security issues affecting god-kit seriously. This document describes how to report vulnerabilities and what to expect.
Security fixes are applied to the latest minor release on npm (latest dist-tag). Older majors may not receive backports unless documented in release notes.
Check the published version:
npm view god-kit versionPlease do not open a public GitHub issue for undisclosed security vulnerabilities (that can put users at risk before a fix exists).
Preferred channels:
- GitHub Security Advisories — use Report a vulnerability for this repository if enabled for your account.
- Maintainers — if private reporting is unavailable, contact repository owners through GitHub with a subject line such as
SECURITY: god-kitand minimal reproduction details; avoid posting exploit code in public threads.
Include where possible:
- A short description of the issue and its impact
- Affected versions or git revision
- Steps to reproduce or a proof-of-concept (can be shared privately)
- Suggested fix or mitigation (optional)
In scope for this policy:
- Runtime behavior of published
god-kitpackages (Vue components, composables, CLI as shipped on npm) - Supply-chain concerns directly tied to this repository’s release artifacts
Typically out of scope (report to the relevant upstream instead):
- Issues in consumer applications that only misuse the API
- Third-party dependencies (report to those projects unless god-kit is clearly misusing them)
- Denial-of-service via oversized inputs in demo/docs sites unless they reflect default library behavior
We may adjust scope case by case.
- We aim to acknowledge receipt within a few business days when contact details allow it.
- We coordinate a fix and release as appropriate, then publish
CHANGELOG.mdand advisory text proportionate to severity. - Credit reporters in release notes when they wish to be named.
This project does not run a paid bug bounty program.
For general non-security bugs and feature requests, use Issues.