If you discover a security vulnerability in this project, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, use one of these methods:
- GitHub Private Advisory: Go to the Security tab of this repository and click "Report a vulnerability" to create a private security advisory.
- Email: Contact the project maintainers directly.
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
We will acknowledge receipt within 48 hours and provide a timeline for a fix.
| Version | Supported |
|---|---|
Latest on main |
Yes |
| Older releases | Best effort |
This project follows these security practices:
- Dependency scanning: Dependabot alerts and weekly
pip-audit/npm auditin CI - SBOM generation: CycloneDX SBOM artifacts for Python and JavaScript dependencies
- Code review: all changes go through pull requests
- Secret management: no secrets in source code; environment variables only
- Input validation: Pydantic schemas on all API endpoints
The following are known limitations that are acceptable for development but must be addressed before production deployment:
- JWT tokens stored in localStorage (consider httpOnly cookies for production)
- Default
SECRET_KEYmust be changed for production DEV_MODE=truebypasses certain security checks- Default local PostgreSQL credentials must be changed for shared or production environments
- Optional SQLite fallback should not be used for shared or production deployments
See docs/security/overview.md for the full security documentation.