This repository currently maintains the latest main branch for security fixes.
If you discover a security vulnerability, please do not open a public issue.
- Contact: 0xpablo.li@proton.me
- Include: impact, reproduction steps, affected commit/version, and proof-of-concept if available.
- Response target: initial response within 72 hours.
Use this checklist before converting the repository to public visibility.
If any credential was ever committed (even briefly), rotate it first:
- API keys
- Access tokens
- Service account secrets
- Webhook secrets
Rewriting history is not a substitute for credential rotation.
In Settings → Security:
- Enable Secret scanning
- Enable Push protection
- Enable Dependabot alerts
- Enable Dependabot security updates
In Settings → Branches:
- Require pull request before merge
- Require status checks to pass
- Restrict force pushes
- Restrict direct pushes to
main
- Keep
.envand secret files in.gitignore - Keep only
.env.exampletracked - Ensure no private endpoints or credentials in docs/scripts
- Rotate affected credentials immediately.
- Rewrite git history (
git filter-repoor BFG) to remove leaked files/strings. - Force push cleaned history.
- Invalidate old clones/forks where possible and notify collaborators to reclone.
- Contact GitHub Support for cache/index cleanup if needed.
- Closed/merged GitHub PRs generally cannot be fully deleted from normal repository UI controls.
- You can edit PR descriptions, remove sensitive comments, and lock conversations.
- Git history can be rewritten, but previously cloned/forked copies may still retain old data.
# 1) Quick secret keyword scan (heuristic)
rg -n "(AKIA|AIza|BEGIN RSA|PRIVATE KEY|TOKEN|SECRET|PASSWORD|SENTRY_DSN|VITE_.*KEY)" -g'!*dist/*'
# 2) Check tracked env files
git ls-files | rg "^\.env"
# 3) Ensure sensitive env files are ignored
git check-ignore -v .env .env.local .env.production