moon-cycle/.github/wiki/SECURITY.md

29 lines
1.1 KiB
Markdown

# Security Policy
## Supported versions
| Version | Supported |
| --- | --- |
| 2.x (latest) | Yes |
| < 2.0 | No |
## Reporting a vulnerability
moon-cycle is a pure date-to-filename mapping library. It accepts JavaScript `Date` objects as input and returns image filenames or CDN URLs. There is no network access, no file system access (image paths are resolved client-side), no user authentication, and no persistent state.
Security vulnerabilities are unlikely given the surface area. That said, if you find something:
1. **Do not open a public issue.** That exposes the vulnerability before a fix is available.
2. Email **aric.camarata@gmail.com** with the subject line "Security: moon-cycle".
3. Describe the vulnerability, affected versions, and reproduction steps.
4. You will receive a response within 7 days.
## What counts as a security issue here
- An input that causes the library to execute arbitrary code
- Prototype pollution via user-provided inputs
## What does not count
- Incorrect moon phase image selection (that is a bug, not a security issue)
- Missing input validation that causes incorrect output but no code execution