| Version | Supported |
|---|---|
| 3.x | Yes |
| 2.x | Security fixes only |
| 1.x | No |
We take security seriously at Delimit. If you discover a security vulnerability, please follow these steps:
- Do NOT create a public GitHub issue
- Email security@delimit.ai with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Your suggested fix (if any)
- Acknowledgment: Within 24 hours
- Initial Assessment: Within 72 hours
- Fix Timeline: Based on severity
- Critical: Within 7 days
- High: Within 14 days
- Medium: Within 30 days
- Low: Next release
When using Delimit:
- Never commit API keys or tokens to your repository
- Use environment variables for sensitive configuration
- Keep Delimit updated to the latest version
- Review PR annotations before merging
- npm provenance: All releases are published with npm provenance attestation, linking each package version to the exact GitHub commit and CI workflow that produced it
- No install scripts: The
postinstallhook only prints a setup reminder — no code execution duringnpm install - Dependency audit: All dependencies are audited for vulnerabilities before each release
- Package contents: Only
bin/,lib/,gateway/, and documentation files are included. Secrets, tests, and dev files are excluded via.npmignore - Publish workflow: Releases require CI validation, dependency audit, and secrets scan before publishing
Delimit processes your API specifications locally. The CLI and GitHub Action do not send your specs to external servers.