Please report security issues privately — don't open a public issue for them.
- Preferred: GitHub's private vulnerability reporting — the Security tab → Report a vulnerability (new advisory).
- Or email [email protected].
Include a minimal reproduction (a schema or markup snippet) and the affected version. This is a single-maintainer project, so expect a best-effort response — typically within a few days. Please give a reasonable window to fix before any public disclosure.
Fixes land on the latest published release. There are no long-term support branches.
Tweakit is a dependency-free, client-side UI library — it makes no network requests, runs no server, and handles no secrets or credentials. The attack surface is correspondingly small, but the things worth a careful eye:
- The plot control's expression evaluator is a custom,
eval-free parser with a whitelist, a recursion cap, and an input-length cap (covered by the test suite). Reports of a way to escape it, hang it, or reach arbitrary code are in scope. - Schema / markup input handling rejects prototype-polluting keys (e.g.
__proto__) on the typed-meta and presets paths. Reports of a pollution vector are in scope. - The docs-site generator escapes interpolated content; injection through authored page content is in scope.
Out of scope: issues that require a malicious host page or already-compromised browser (the kit trusts the page it's embedded in), and the bundled third-party icon assets (see THIRD-PARTY-NOTICES.md).