We take security seriously. If you discover a security vulnerability in this project, please report it responsibly.
Please do not open a public GitHub issue for security vulnerabilities. This gives attackers information about the vulnerability before a fix is available.
- GitHub Security Advisory: Use GitHub's private security advisory feature
- Email: pmouli@mac.com (for critical issues requiring immediate attention)
- Direct Contact: Contact maintainers privately if needed
When reporting a vulnerability, please include:
- Description: Clear explanation of the vulnerability
- Location: Specific file(s) and line number(s)
- Severity: Impact assessment (critical, high, medium, low)
- Steps to Reproduce: Detailed reproduction instructions
- Proof of Concept: Code or example demonstrating the issue
- Suggested Fix: If you have one (optional)
- Security fixes are released as soon as possible
- Critical vulnerabilities may be released outside normal release cycles
- Security advisories will be published on GitHub
| Version | Status | Security Updates |
|---|---|---|
| 1.x | Active | Yes |
| 0.x | EOL | No |
We use:
- Dependabot/Renovate: Automated dependency updates
- npm audit: Regular security audits in CI/CD
- GitHub Security: Code scanning and secret scanning
- Run
pnpm auditregularly - Update dependencies with
pnpm update -r --latest - Review security advisories on dependencies
- Input Validation: All inputs are validated
- Error Handling: Errors are handled gracefully without exposing sensitive info
- Secrets Management: No hardcoded secrets; use environment variables
- Dependency Management: Keep dependencies minimal and updated
- Code Review: All code is reviewed before merging
When contributing:
- Never commit secrets, API keys, or credentials
- Use
.env.localfor local secrets (not committed) - Validate and sanitize all user input
- Use parameterized queries for database operations
- Keep sensitive operations secure
We perform:
- Static Analysis: With oxlint
- Dependency Scanning: With Dependabot/Renovate
- CodeQL: GitHub's code scanning
- Security Advisories: GitHub security alerts
As of the latest release, there are no known unresolved security vulnerabilities.
We believe in responsible disclosure. Vulnerabilities disclosed to us are:
- Confirmed within 2-5 business days
- Fixed as soon as possible
- Credited to the reporter (unless they wish to remain anonymous)
We appreciate security research conducted in good faith. This includes:
- Testing for vulnerabilities
- Reporting vulnerabilities
- Improving security measures
We will not take legal action against researchers who:
- Act in good faith
- Avoid privacy violations or data destruction
- Follow responsible disclosure practices
- Don't disclose vulnerabilities publicly before notification
- Security Questions: pmouli@mac.com
- General Questions: Open a discussion on GitHub
- Bug Reports: Open an issue with
securitylabel
Thank you for helping keep this project secure! 🔒