aric/moon-cycle
1
0
Fork 0
mirror of https://github.com/acamarata/moon-cycle.git synced 2026-06-30 18:54:29 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
moon-cycle/.github/wiki/SECURITY.md

1.1 KiB
Raw Blame History

Security Policy

Supported versions

Version Supported
2.x (latest) Yes
< 2.0 No

Reporting a vulnerability

moon-cycle is a pure date-to-filename mapping library. It accepts JavaScript Date objects as input and returns image filenames or CDN URLs. There is no network access, no file system access (image paths are resolved client-side), no user authentication, and no persistent state.

Security vulnerabilities are unlikely given the surface area. That said, if you find something:

  1. Do not open a public issue. That exposes the vulnerability before a fix is available.
  2. Email aric.camarata@gmail.com with the subject line "Security: moon-cycle".
  3. Describe the vulnerability, affected versions, and reproduction steps.
  4. You will receive a response within 7 days.

What counts as a security issue here

  • An input that causes the library to execute arbitrary code
  • Prototype pollution via user-provided inputs

What does not count

  • Incorrect moon phase image selection (that is a bug, not a security issue)
  • Missing input validation that causes incorrect output but no code execution