We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
We take security vulnerabilities seriously. If you discover a security vulnerability, please follow these steps:
Security vulnerabilities should be reported privately to avoid exposing users to potential attacks.
Send an email to [email protected] with the following information:
- Subject:
[SECURITY] @squoosh-kit/core vulnerability report - Description: Detailed description of the vulnerability
- Steps to reproduce: Clear steps to reproduce the issue
- Impact: Potential impact of the vulnerability
- Suggested fix: If you have a suggested fix (optional)
- Acknowledgment: You will receive an acknowledgment within 48 hours
- Assessment: We will assess the vulnerability within 5 business days
- Fix timeline: Critical vulnerabilities will be fixed within 7 days
- Disclosure: We will coordinate disclosure with you
This package uses WebAssembly (WASM) modules from the Squoosh project. These modules:
- Are compiled from Rust source code
- Run in a sandboxed environment
- Cannot access the file system or network directly
- Are validated against known-good checksums
- No data persistence: The package does not store or transmit user data
- Local processing: All image processing happens locally
- Memory management: Proper cleanup of WASM instances
We maintain a strict dependency policy:
- Minimal dependencies: Only essential dependencies are included
- Regular updates: Dependencies are updated regularly
- Security audits: All dependencies are audited for vulnerabilities
- Lock files: Exact versions are locked to prevent supply chain attacks
- Keep updated: Always use the latest version of the package
- Validate inputs: Validate image data before processing
- Resource limits: Set appropriate memory and CPU limits
- Error handling: Implement proper error handling for WASM operations
- Code review: All code changes require review
- Security testing: Security tests are included in CI/CD
- Dependency updates: Dependencies are updated regularly
- Vulnerability scanning: Automated vulnerability scanning in CI/CD
- Type safety: Full TypeScript support prevents type-related vulnerabilities
- Input validation: Built-in validation for image data and options
- Memory safety: WASM modules provide memory-safe execution
- Error boundaries: Proper error handling prevents crashes
- Worker isolation: Heavy processing runs in Web Workers
- Resource limits: Built-in resource management
- Abort signals: Support for canceling long-running operations
- Memory cleanup: Automatic cleanup of WASM instances
- Detection: Automated monitoring and manual reports
- Assessment: Impact and severity evaluation
- Containment: Immediate mitigation if possible
- Investigation: Root cause analysis
- Recovery: Fix deployment and verification
- Lessons learned: Process improvement
- Internal: Immediate notification to maintainers
- Users: Coordinated disclosure timeline
- Public: Security advisory when appropriate
- Dependency audit:
bun audit - Code analysis: ESLint security rules
- Build validation: Automated build artifact verification
- WASM validation: Checksum verification of WASM files
- Penetration testing: Regular security assessments
- Code review: Security-focused code reviews
- Threat modeling: Regular threat model updates
For security-related questions or concerns:
- Email: [email protected]
- GitHub: @bnowak008
- Issues: Use private security reporting (see above)
We thank the security researchers and community members who help keep this project secure through responsible disclosure and security best practices.