| Version | Supported |
|---|---|
| 1.3.x | ✅ |
| < 1.3 | ❌ |
- Node.js >=18.0.0
- npm >=9.0.0
If you discover a security vulnerability in this project, please report it responsibly:
- Do not open a public issue
- Email the maintainer directly or create a private security advisory on GitHub
- Include as much detail as possible about the vulnerability
- Allow reasonable time for response before public disclosure
This project follows NPM security best practices:
- All dependencies are pinned to exact versions
- Lifecycle scripts are disabled by default
- Provenance statements are enabled
- Regular security audits are performed
- Dependencies are kept up to date
# Run security audit
npm run security:check
# Check for vulnerabilities
npm audit
# Verify package signatures
npm audit signatures
# Fix automatically fixable issues
npm audit fixThis project uses the following security measures:
- Exact version pinning: All dependencies use exact versions (no
^or~) - Lockfile:
package-lock.jsonis committed to ensure reproducible builds - Audit signatures: Package integrity is verified using npm audit signatures
- Minimal dependencies: Only necessary dependencies are included
The project uses the following security configuration in .npmrc:
ignore-scripts=true
provenance=true
save-exact=true
save-prefix=''
audit-level=moderate
strict-peer-deps=true
engine-strict=true
For more information about NPM security best practices, see: https://github.com/bodadotsh/npm-security-best-practices