We actively support the following versions of Slate UI Kit with security updates:
| Version | Supported |
|---|---|
| 2.x | ✅ |
| 1.x | ❌ |
| < 1.0 | ❌ |
We take security vulnerabilities seriously. If you discover a security vulnerability, please follow these steps:
Please do not report security vulnerabilities through public GitHub issues.
Send an email to hello@neerajkumar.name with the following information:
- Type of issue (e.g., XSS, CSRF, SQL injection, etc.)
- Full paths of source file(s) related to the vulnerability
- The location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
- Initial Response: We'll acknowledge receipt of your report within 48 hours
- Status Updates: We'll provide updates on the progress of fixing the vulnerability
- Resolution: We'll notify you when the vulnerability is fixed and a release is available
- We will credit you in the security advisory and release notes (unless you prefer to remain anonymous)
- We will not disclose the vulnerability publicly until a fix is available
- We aim to resolve critical vulnerabilities within 7 days
- We aim to resolve high-severity vulnerabilities within 30 days
When using Slate UI Kit:
- Keep dependencies updated: Regularly update Slate and its dependencies
- Review component usage: Ensure you're using components as intended
- Sanitize user input: Always sanitize and validate user input before passing to components
- Use HTTPS: Always use HTTPS in production
- Follow Laravel security practices: Follow Laravel's security recommendations
Slate components use Laravel's Blade templating engine, which automatically escapes output. However, when using {!! !!} syntax, ensure you trust the content being rendered.
For forms using Slate components, ensure you include Laravel's CSRF token:
<form method="POST" action="/submit">
@csrf
<x-slate::input name="email" />
<x-slate::button type="submit">Submit</x-slate::button>
</form>If you're using a Content Security Policy (CSP), ensure it allows:
- Inline styles (if using Tailwind's JIT mode)
- Alpine.js inline event handlers (if using Alpine.js components)
Security updates will be released as:
- Patch versions (e.g., 2.1.0 → 2.1.1) for critical security fixes
- Minor versions (e.g., 2.1.0 → 2.2.0) for security improvements
All security updates will be documented in the CHANGELOG.md.
Thank you for helping keep Slate UI Kit and its users safe! 🙏