| Version | Supported |
|---|---|
| 0.3.x | ✅ |
| 0.2.x | ❌ |
| < 0.2 | ❌ |
If you discover a security vulnerability in caxe, please report it responsibly:
- DO NOT open a public GitHub issue for security vulnerabilities
- Email the maintainer directly at: dhimasardinatapp@gmail.com
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Fix Release: Depends on severity (critical: ASAP, high: 14 days, medium: 30 days)
- caxe downloads dependencies from Git URLs specified in
cx.toml - Always verify the source of dependencies before adding them
- Use pinned versions (
tag,rev) for production projects
- Prebuilt binaries are downloaded from official GitHub releases
- SHA256 verification is available for integrity checks
- Pre/post build scripts in
cx.tomlare executed during builds - Review all scripts before running builds in untrusted projects
- Pin dependencies to specific tags or commits
- Use lockfiles (
cx.lock) for reproducible builds - Audit dependencies before first build
- Run in sandboxed environments for untrusted code