| Version | Supported |
|---|---|
| 1.x | ✅ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via GitHub's private vulnerability reporting:
- Go to the Security Advisories page
- Click "Report a vulnerability"
- Fill in the details
Alternatively, you can email security concerns to: security@marcstraube.de
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if available)
This is currently a solo-maintained project. I will respond as quickly as possible, typically within a week. Critical vulnerabilities are prioritized.
- We follow coordinated vulnerability disclosure
- We will credit reporters (unless anonymity is requested)
- Security advisories will be published after fixes are released
This library follows security-by-design principles:
All randomness uses crypto.getRandomValues() instead of Math.random():
// Correct - cryptographically secure
const buffer = new Uint32Array(1);
crypto.getRandomValues(buffer);
const secureRandom = buffer[0] / 0xffffffff;
// Avoided - predictable
const insecureRandom = Math.random();All external input is validated before processing:
- Storage keys: Validated format, control characters rejected
- Filenames: Path traversal characters rejected
- URLs: Validated structure, dangerous protocols blocked
- User content: Sanitized before DOM insertion
The following patterns are never used:
| Pattern | Risk | Alternative |
|---|---|---|
eval() |
Code injection | Static code paths |
new Function() |
Code injection | Static code paths |
innerHTML |
XSS | textContent, DOM APIs |
document.write() |
XSS | DOM APIs |
setTimeout(string) |
Code injection | Function reference |
All APIs use secure defaults:
| API | Default | Reason |
|---|---|---|
| Cookies | Secure, SameSite |
Prevent interception |
| Storage prefix | Required | Prevent key collisions |
| Logger | Production-safe levels | No sensitive data leaked |
| Network retry | Limited attempts | Prevent resource exhaustion |
This library is designed to work with strict CSP:
- No inline scripts or styles
- No dynamic code evaluation
- No external resource loading
- Minimal dependencies
- Regular security audits via
pnpm audit - Automated dependency updates
All changes require:
- Security impact assessment
- Review of input validation
- Test coverage for security cases
- Automated security scanning (CodeQL)
- Dependency vulnerability checks
- Type checking catches type confusion attacks
- Test coverage prevents regressions
- Data is not encrypted at rest
- Subject to XSS if application has vulnerabilities
- Limited to same-origin access
Recommendation: Do not store sensitive data (tokens, PII) in client storage.
- Requires user gesture in some browsers
- Contents visible to other applications
- May be blocked by browser policies
- Can be blocked by user
- No delivery guarantee
- Content visible system-wide
Security-related changes are tagged with security in commit messages and
documented in CHANGELOG.md.