We take the security seriously. If you believe you've found a security vulnerability, please follow these steps:
- Do not disclose the vulnerability publicly
- Email the details to [email protected].
- Provide a detailed description of the vulnerability
- Include steps to reproduce the issue
- Mention the version of the software where you found the vulnerability
- If possible, include suggestions for fixing the vulnerability
- We will acknowledge receipt of your vulnerability report within 48 hours
- We will provide a more detailed response within 7 days
- We will work with you to understand and address the issue
- We will keep you informed of our progress
- Once the vulnerability is fixed, we will publicly acknowledge your responsible disclosure (unless you prefer to remain anonymous)
- Keep the package updated: Always use the latest version
- Validate inputs: When integrating with the server, ensure all inputs are properly validated
- Manage permissions: Ensure proper file system permissions are set for the project directory
- Secure your environment: Follow security best practices for your Node.js environment
When a security vulnerability is reported, we follow this disclosure process:
- The security team verifies the vulnerability
- We develop a fix and test it thoroughly
- We release a patch and notify users
- After users have had sufficient time to update, we may publish a security advisory
Thank you for helping and keeping users safe!