This project follows a rolling support model.
main: fully supported- release branches/tags: security fixes only
- everything else: unsupported
Do not open public issues for security vulnerabilities.
- Send a private report to the repository owner (
@Delqhi) with:- clear impact statement
- reproduction steps
- affected files/paths
- suggested fix if available
- Expect acknowledgment within 72 hours.
- A mitigation/fix plan is provided after triage.
- Public disclosure happens only after fix deployment.
- No secrets in code, logs, fixtures, or docs.
- New dependencies must be justified and actively maintained.
- New external integrations must use least-privilege credentials.
- Sensitive document content must be redacted in logs and reports.
- All PRs touching runtime or workflows must pass CI security gates.
The repository enforces enterprise controls using free tooling:
- quality gate (
build,test,lint) - dependency gate (
npm audit) - secret scanning (
gitleaks) - filesystem vulnerability scanning (
trivy) - SBOM generation (
npm sbom, SPDX) - build provenance attestation