Please report security vulnerabilities privately.
Do not open public GitHub issues for security-related problems.
Instead, use GitHub Security Advisories or private disclosure mechanisms supported by the repository.
The project currently focuses on the latest released version.
Security fixes are generally applied to the most recent stable release.
Please report vulnerabilities related to:
- authentication or authorization bypass
- dependency vulnerabilities with practical impact
- sensitive data exposure
- remote code execution
- SSR security issues
- browser security issues
- supply chain related concerns
Please allow reasonable time for investigation and remediation before public disclosure.
The goal is to:
- protect users
- validate reports responsibly
- coordinate fixes safely
This project aims to follow secure-by-default principles where possible, including:
- minimal public API surface
- predictable reactive state handling
- strict TypeScript usage
- dependency minimization
- automated quality validation
- CI-based testing and verification
Security reports submitted in good faith are appreciated.