| Version | Supported |
|---|---|
| 2.x (current) | ✅ |
| 1.x (prototype) | ❌ End-of-life |
Please do NOT report security vulnerabilities through public GitHub Issues.
Instead, contact the maintainer privately:
- Open a GitHub Security Advisory (preferred — keeps the report confidential until patched).
- Or email the maintainer directly. The email address can be found on their GitHub profile.
Please include as much detail as possible:
- A description of the vulnerability and its potential impact.
- Steps to reproduce or a Proof-of-Concept.
- Your suggested fix if you have one.
You can expect an acknowledgement within 72 hours and a patch or mitigation plan within 14 days for critical issues.
LibraryPro stores all data in a local SQLite file (library.db). This file is not encrypted.
In a shared environment, ensure:
- The file resides in a directory with appropriate OS-level permissions.
- Access is restricted to the library system user account.
- Passwords are currently stored in plaintext in the
userstable. This is appropriate for a local single-workstation deployment but not for a networked environment. - Future versions will store passwords as bcrypt hashes.
- The default credentials (
admin/admin) must be changed immediately after the first login.
LibraryPro is a pure desktop application with no built-in network interface, REST API, or
web server. It does not transmit any data over the network during normal operation.
The only outbound network activity is during dependency download (build.sh deps / download_libs.ps1),
which fetches JARs from Maven Central over HTTPS.
All dependencies are fetched directly from Maven Central over HTTPS. To verify
the integrity of downloaded JARs, compare their SHA-1 checksums against the
.sha1 files available at the same Maven Central URLs.
| Version | Date | CVE / Description |
|---|---|---|
| — | — | No security fixes yet |