Skip to content

Security: NetVar1337/enma-lsp-pcx

Security

SECURITY.md

Security Policy

Supported versions

The latest tagged release on main is the only supported version. Older versions receive fixes only at the maintainers' discretion.

Version Supported
Latest tag
Older tags ⚠️ best-effort
Unreleased

Reporting a vulnerability

Do not open a public GitHub issue for security reports.

Use GitHub's Private vulnerability reporting feature on this repo:

  1. Go to the Security tab.
  2. Click Report a vulnerability.
  3. Provide reproduction steps and an impact assessment.

You will get a response within 72 hours. If we accept the report, expect:

  • An acknowledgement with a tracking handle.
  • A fix branch and a draft release.
  • Coordinated disclosure once a patched VSIX is published.

Scope

In scope:

  • The VS Code extension code in this repository.
  • The bundled perception.em.predefined (information disclosure, schema poisoning).
  • The bundler script (scripts/bundler.ts) — path traversal, arbitrary write.
  • The DAP attach handshake (denial of service, MITM).

Out of scope:

  • Vulnerabilities in the Perception runtime itself — report to Perception.cx directly.
  • Vulnerabilities in the Enma language compiler — report to the Enma team.
  • Generic VS Code or vscode-languageclient issues — report upstream.

Thanks for keeping the ecosystem safe.

There aren't any published security advisories