We actively support the following versions with security updates:
Version | Supported |
---|---|
1.x.x | ✅ |
< 1.0 | ❌ |
We take security seriously and appreciate your efforts to responsibly disclose security vulnerabilities.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities by:
- GitHub Security Advisory: Use GitHub's private vulnerability reporting feature
- Direct Message: Contact the maintainer directly via GitHub
When reporting a vulnerability, please include:
- Description: A clear description of the vulnerability
- Impact: What could happen if this vulnerability is exploited
- Reproduction: Step-by-step instructions to reproduce the issue
- Environment: Node.js version, package version, and operating system
- Code Sample: Minimal code example demonstrating the issue (if applicable)
We aim to respond to security reports within:
- Initial Response: 48 hours
- Status Update: 7 days
- Resolution: 30 days (for confirmed vulnerabilities)
When using this npm package in your applications:
-
Dependency Management:
# Keep dependencies updated npm audit npm update # Use npm ci in production npm ci --only=production
-
Input Validation:
// Always validate inputs when using package functions import { greet } from 'your-package-name'; function safeGreet(input: unknown): string { if (typeof input !== 'string' || input.length > 100) { throw new Error('Invalid input'); } return greet(input); }
-
Error Handling:
// Handle errors gracefully try { const result = await asyncGreet(userInput); return result; } catch (error) { console.error('Greeting failed:', error.message); return 'Hello, guest!'; }
- Input Sanitization: Always sanitize user inputs before processing
- Dependency Vulnerabilities: Regularly audit and update dependencies
- Error Information Disclosure: Don't expose sensitive information in error messages
- Resource Limits: Be aware of potential DoS through resource exhaustion
This package depends on:
- TypeScript: Development dependency only
- Jest: Development dependency only
- ESLint: Development dependency only
All runtime dependencies are kept to a minimum to reduce attack surface.
This security policy covers:
- The React API Forge library code
- Build and release processes
- Documentation and examples
This policy does not cover:
- Your application's implementation using React API Forge
- Third-party services you connect to via the hooks
- Security issues in React, Axios, or other dependencies (report to respective projects)
We appreciate security researchers and will acknowledge your contribution (with your permission) in:
- Security advisory credits
- CHANGELOG.md mentions
- Hall of fame (if we create one)
Thank you for helping keep React API Forge and our community safe!