The following versions are currently receiving security updates:
| Version | Supported |
|---|---|
| 1.x.x | β Yes |
| <1.0 | β No |
If you discover a security vulnerability, please do not open a public issue. Instead:
π§ Report via email:
- security@yourdomain.com (replace with your actual email)
Or use GitHub:
- Security Advisory / Private report
To help us resolve the issue quickly, please include:
- Description of the vulnerability
- Affected version(s)
- Steps to reproduce
- Proof of Concept (PoC), if available
- Expected vs. actual behavior
- Potential impact (e.g., RCE, DoS, data leak)
- π© Initial response: within 48 hours
- π Investigation: 1β5 days
- π οΈ Fix timeline: depends on severity
This project follows these core security principles:
- All user inputs are validated
- Unsafe parsing is not allowed
- Risky constructs like
eval,Function,execare not used - Commands are parsed, not directly executed
- Commands run in an isolated environment
- No access to system resources (fs, network, etc.) by default
- Every operation runs with minimal required permissions
- Default configurations are secure
- Potentially risky features are disabled by default
- Be cautious when exposing the command system to external input
- Do not trust third-party plugins or extensions
- Validate all serialization / deserialization processes
- Minimal dependency approach is followed
- Dependencies are regularly updated
- Supply chain risks are considered
- Do not publicly disclose vulnerabilities before they are fixed
- Contributors will be credited π
This project is open source, but exploiting security vulnerabilities is unethical.
π‘ Security is not a feature β itβs a process.