We take security seriously. If you discover a security vulnerability, please report it responsibly.
- Do not open a public GitHub issue for security vulnerabilities
- Email the maintainers directly or use GitHub's private vulnerability reporting feature
- Include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
This security policy applies to:
- The Yet Another Git Gui application
- Vulnerabilities in dependencies (please report to the respective projects)
- Issues that require physical access to a user's machine
- Social engineering attacks
When using Yet Another Git Gui:
- Keep the application updated to the latest version
- Only open repositories from trusted sources
This project enforces a 7-day dependency cooldown to reduce the risk of supply-chain attacks. Newly published npm package versions cannot enter the dependency graph until they have been available on the registry for at least 7 days, giving the community time to detect and flag malicious releases.
pnpm's built-in minimumReleaseAge setting in pnpm-workspace.yaml blocks resolution of any package version published less than 10,080 minutes (7 days) ago. This applies to both direct and transitive dependencies.
The cooldown is enforced at resolution time — when pnpm resolves new versions during pnpm install, pnpm add, or pnpm update. It is not re-checked during --frozen-lockfile installs (CI) or by Dependabot, which resolves versions using its own updater.
For urgent updates (e.g., a critical security patch published today), add the package to minimumReleaseAgeExclude in pnpm-workspace.yaml:
minimumReleaseAgeExclude:
- 'package-name@1.2.3' # exact version
- '@scope/*' # all packages from a scopeFor Cargo/Rust dependencies, cargo-cooldown provides equivalent functionality as a lightweight cargo wrapper. It is not currently configured in this project but can be added by installing the tool and creating a cooldown.toml in src-tauri/.