Only the latest published major version of @projgen/cli on npm receives security fixes. Older versions are not actively patched.
| Version | Supported |
|---|---|
| 3.x | ✅ Yes |
| < 3.0 | ❌ No |
Please do not open a public GitHub issue for security vulnerabilities.
If you discover a security vulnerability in @projgen/cli or the Projgen core, please report it responsibly through the following channels:
- GitHub Private Security Advisory (preferred): Report a vulnerability
To help triage your report quickly, please provide as much of the following as possible:
- A clear description of the vulnerability and its potential impact
- The affected version(s) of
@projgen/cli - Step-by-step reproduction instructions or a proof-of-concept
- Any suggested mitigations or fixes (optional but appreciated)
| Stage | Target timeframe |
|---|---|
| Acknowledgement of your report | Within 72 hours |
| Initial triage and severity assessment | Within 7 days |
| Fix or mitigation shipped | Within 30 days (critical), 90 days (moderate/low) |
| Public disclosure | Coordinated with reporter after fix is available |
If you do not receive an acknowledgement within 72 hours, please follow up to ensure the report was received.
This project follows a Coordinated Vulnerability Disclosure approach. Maintainers ask that reporters:
- Allow reasonable time for a fix before public disclosure
- Avoid exploiting the vulnerability or exposing user data
- Avoid destructive or disruptive testing
In return, maintainers commit to:
- Acknowledging the report promptly
- Keeping you informed of progress
- Crediting you in the fix's release notes (unless you prefer anonymity)
The following are in scope for security reports:
- Arbitrary code execution via malicious template files or CLI input
- Path traversal or file system escapes during project scaffolding
- Dependency confusion or supply chain vulnerabilities in published npm packages
- Unintended exposure of sensitive data (e.g., environment variables, credentials)
The following are out of scope:
- Vulnerabilities in development-only dependencies that do not affect the published package
- Issues in third-party tools or services not maintained by this project
- Theoretical vulnerabilities without a realistic attack scenario
When using @projgen/cli, keep the following in mind:
- Only use trusted templates. Template files can define post-install commands and file generation logic. Review templates from third-party sources before running them.
- Keep the CLI up to date. Always run the latest version:
npm install -g @projgen/cli@latest - Audit your dependencies. Run
npm auditregularly in projects generated by Projgen to catch vulnerabilities in scaffolded dependency trees.
Last updated: May 2026