We currently provide security updates for the following versions:
| Version | Supported |
|---|---|
| 2.0.x | ✅ |
| < 2.0 | ❌ |
We take the security of schema-dsl seriously. If you discover a security vulnerability, please do not disclose it publicly. Instead, report it through the following channel:
Send an email to rockyshi1993@gmail.com
Email subject: [SECURITY] schema-dsl - <brief description>
- Vulnerability description: Clear description of the security issue
- Affected versions: Which versions are impacted
- Steps to reproduce: Detailed reproduction steps
- PoC code: Proof-of-concept if available
- Potential impact: Possible consequences
- Suggested fix: If you have a proposed fix
| Stage | Timeframe |
|---|---|
| Initial acknowledgement | 1-2 business days |
| Vulnerability assessment | 3-5 business days |
| Fix release | 7-30 days (depends on severity) |
We follow CVSS 3.1 scoring:
- Critical (9.0-10.0): Immediate fix, target < 7 days
- High (7.0-8.9): Priority fix, target < 14 days
- Medium (4.0-6.9): Planned fix, target < 30 days
- Low (0.1-3.9): Routine fix, target < 90 days
Always validate untrusted input before processing:
const schema = dsl({
username: "string:3-32!",
email: "email!",
age: "number:0-150"
});
const result = validate(schema, userInput);
if (!result.valid) {
throw new Error("Validation failed: " + result.errors[0].message);
}Do not build schemas from untrusted user input:
// Bad: schema type from user input
// const schema = dsl({ field: userInput.type });
// Good: use a predefined map
const allowedSchemas = { user: userSchema, post: postSchema };
const schema = allowedSchemas[req.body.schemaType];Use bounded types to prevent resource exhaustion:
const schema = dsl({
tags: "array:1-100<string:1-50>",
description: "string:0-2000"
});npm update schema-dsl
npm auditWhen writing async custom validators, always apply timeouts:
const schema = dsl({
email: "email!",
}).custom("email", async (value) => {
const exists = await checkEmail(value, { timeout: 5000 });
if (exists) return "Email already taken";
});Use anchored, non-backtracking regex patterns:
const schema = dsl({ username: "string" }).pattern(/^[a-zA-Z0-9_]{3,32}$/);No known security vulnerabilities at this time.
Historical advisories: https://github.com/vextjs/schema-dsl/security/advisories
We thank all researchers who responsibly disclose security issues. Valid vulnerability reports will be credited in release notes (unless anonymity is requested).
Last updated: 2025-12-29 Contact: rockyshi1993@gmail.com