Please do not open a public GitHub issue for security vulnerabilities.

Email the maintainers at developers@davian.space with:

1. A description of the vulnerability.
2. Steps to reproduce.
3. The potential impact.
4. Any suggested mitigations (optional).

We aim to acknowledge reports within 48 hours and provide a resolution timeline within 7 days.

davianspace_reactive is a state management library. The following areas are security-relevant:

• Reactive nodes, effects, and subscriptions hold closures. Failure to dispose them can leak memory and retain references to sensitive objects.
• Use ReactiveScope in Flutter or ScopeOwner to ensure automatic cleanup.

• The DI integration registers reactive factories via davianspace_dependencyinjection. Ensure service provider scopes are properly disposed to release scoped reactives.

• ReactiveDebugLogger and GraphInspector may capture reactive values in debug events. Do not enable debug mode in production builds that handle sensitive data.

• AsyncReactive and Resource execute user-provided futures. Ensure fetchers do not expose credentials and handle errors appropriately.