Security fixes are provided for the latest code line only.
| Version | Supported |
|---|---|
main |
Yes |
Latest tagged release (v1.x) |
Yes |
| Older tags/branches | No |
Security scanning runs automatically in CI and on a weekly schedule so newly disclosed issues are caught even without new commits:
- CodeQL (
.github/workflows/codeql.yml) — SAST for JavaScript/TypeScript and Python using thesecurity-and-qualityquery suite. - Dependency Review — blocks PRs that introduce high-severity vulnerable
dependencies (
.github/workflows/security.yml). npm audit+pip-audit— scan production dependencies for known advisories on every PR, push tomain, and weekly.- Dependabot (
.github/dependabot.yml) — weekly dependency update PRs for npm, pip, GitHub Actions, and Docker, plus automatic security updates.
- Set strong, unique
JWT_SECRETandSECRET_ENCRYPTION_KEY(≥ 16 chars). WithNODE_ENV=productionthe server refuses to start if either is unset or a known default value. - Lock down browser access with
CORS_ORIGIN(comma-separated allowlist) in shared deployments. - Outbound workflow/webhook requests to cloud-metadata/link-local addresses
(e.g.
169.254.169.254) are always blocked; setSSRF_BLOCK_PRIVATE=trueto also block private/loopback ranges. - The CSV import node reads only inside
CSV_IMPORT_DIR(defaults to the working directory) to prevent path traversal. - JWTs are pinned to
HS256; secrets are redacted from request logs and error messages; TOTP and password comparisons are constant-time.
Please do not open public GitHub issues for security vulnerabilities.
Use GitHub's private vulnerability reporting for this repository:
- Go to the repository
Securitytab. - Open
Report a vulnerability. - Include clear reproduction steps, affected components, impact, and suggested mitigation if available.
If private reporting is unavailable, contact the repository owner directly and include the same details.
- Affected version/commit (
git rev-parse --short HEADif possible) - Environment details (OS, Docker version, browser, etc.)
- Steps to reproduce
- Proof-of-concept or logs/screenshots
- Impact assessment (confidentiality, integrity, availability)
- Any known workaround
- Initial acknowledgment: within 72 hours
- Triage decision: within 7 days
- Status updates: at least every 7 days while active
- We follow coordinated disclosure.
- Please allow time for validation, fix development, and release before public disclosure.
- After a fix is released, we may publish a summary advisory and mitigation guidance.
In scope:
- Authentication/authorization bypass
- Secret leakage or encryption weaknesses
- Remote code execution
- SSRF, injection, path traversal, deserialization risks
- Workflow execution isolation failures
Out of scope (unless chained with security impact):
- Feature requests
- UI/UX bugs without security impact
- Self-host misconfiguration without product defect
- Denial of service requiring unrealistic local-only assumptions
We support good-faith security research. If you act in good faith, avoid privacy violations and service disruption, and give us reasonable time to remediate, we will not pursue legal action for your research.