Security updates are provided for the latest minor version of Engram. When a new minor version is released, security support for the previous minor version ends.
| Version | Status |
|---|---|
| 0.4.x | Supported |
| 0.3.x | Not supported (please upgrade — @engram-mem/postgrest rebrand in v0.4.0; clean npm install in v0.4.2 drops @supabase/supabase-js and resolves 9 transitive vulns) |
| 0.2.x | Not supported |
| 0.1.x | Not supported |
Do not open a public GitHub issue for security vulnerabilities. Instead, email [email protected] with:
- Title of the vulnerability
- Description and impact
- Steps to reproduce (if applicable)
- Affected version(s)
We will:
- Acknowledge receipt within 48 hours
- Provide an initial assessment within 1 week
- Coordinate a fix and release timeline
- Authentication or authorization bypasses
- Data exposure or leakage
- SQL injection or code injection vulnerabilities
- Cryptographic weaknesses
- Denial of service attacks
- Privilege escalation
Engram never stores API keys or secrets in code. All credentials must be provided via:
- Environment variables
- Configuration files outside version control
- A secret manager appropriate to your deployment (cloud KMS, HashiCorp Vault, Doppler, Supabase Vault if you use hosted Supabase, etc.)
Engram itself is BYO infrastructure as of v0.4.0 — there is no built-in coupling to any single vendor's secret store.
If you discover hardcoded secrets, report them immediately to [email protected].
Thank you for helping keep Engram secure.