We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
The security of this project is taken seriously. If you discover a security vulnerability, please follow these steps:
-
Do not create a public GitHub issue for the vulnerability
-
Report the vulnerability privately using one of these methods:
- Use GitHub's private security advisory feature
- Email the security team (if available)
-
Include the following information in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if available)
- Acknowledgment: You'll receive an acknowledgment within 48 hours
- Assessment: We'll assess the vulnerability and determine its severity
- Timeline: We aim to release a fix within 90 days for critical issues
- Credit: Security researchers who responsibly disclose vulnerabilities will be credited (unless they prefer to remain anonymous)
This repository uses GitHub's native security features:
- CodeQL Analysis: Automated code scanning for vulnerabilities in JavaScript/TypeScript
- Dependabot: Automatic dependency vulnerability detection and updates
- Secret Scanning: Detects accidentally committed secrets (public repos)
Security alerts are automatically created for:
- Known vulnerabilities in dependencies
- Code scanning findings from CodeQL
- Exposed secrets or tokens
- Dependabot automatically creates pull requests for security updates
- CodeQL runs on every pull request and push to main
- Weekly scheduled scans ensure ongoing security
When contributing to this project:
- Never commit secrets - Use environment variables for sensitive data
- Keep dependencies updated - Review and merge Dependabot PRs promptly
- Review CodeQL alerts - Address security findings in your pull requests
- Use secure defaults - Follow the principle of least privilege
- Validate input - Always sanitize and validate user input
- Follow secure coding guidelines - Review our CONTRIBUTING.md
We use Dependabot to monitor and update dependencies:
- Security updates are applied automatically via pull requests
- Dependencies are reviewed weekly
- Known vulnerable packages are flagged immediately
View current security status:
- Go to the Security tab
- Check Code scanning alerts
- Review Dependabot alerts
For urgent security issues, contact:
- GitHub Security Advisory: Create Advisory
- Maintainers: Review the CODEOWNERS file
We follow coordinated disclosure:
- Security researchers report vulnerabilities privately
- We work with researchers to validate and fix the issue
- A fix is prepared and tested
- An advisory is published with credit to the reporter
- The fix is released to users