mirror of
https://github.com/acamarata/solar-spa.git
synced 2026-07-01 03:14:31 +00:00
- Trim README to ≤80 lines with wiki link for full docs - Add CHANGELOG.md with initial entry - Fix CI: replace pinned pnpm/action-setup with corepack enable - Add "type": "module" and flat exports map (ADR-015) - Add ./package.json exports entry - Add coverage script - Rename wasm/spa-module.js → wasm/spa-module.cjs to fix CJS/ESM conflict - Update src/index.ts and tsup.config.ts to reference spa-module.cjs - Add .github/wiki pages: _Sidebar, _Footer, SECURITY, CODE_OF_CONDUCT
31 lines
1.1 KiB
Markdown
31 lines
1.1 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
| Version | Supported |
|
|
| --- | --- |
|
|
| 2.x | Yes |
|
|
| 1.x | No |
|
|
|
|
Only the latest major version receives security fixes.
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
Do not open a public GitHub issue for security vulnerabilities.
|
|
|
|
Email: aric.camarata@gmail.com
|
|
|
|
Include:
|
|
|
|
- A description of the vulnerability
|
|
- Steps to reproduce
|
|
- Potential impact
|
|
- Any suggested fix, if you have one
|
|
|
|
You will receive an acknowledgment within 48 hours and a resolution timeline within 7 days. Once a fix is ready and deployed, the vulnerability will be disclosed publicly with credit to the reporter (unless you prefer to remain anonymous).
|
|
|
|
## Scope
|
|
|
|
This package is a WASM-based computation library. It performs no network requests, reads no files, and holds no credentials. The primary security concern would be a memory safety issue in the WASM binary or a supply-chain compromise of the npm package.
|
|
|
|
The WASM binary is compiled from the [NREL SPA C source](https://midcdmz.nrel.gov/spa/) with Emscripten. The compiled output (`wasm/spa-module.js`) is checked into the repository so its contents can be audited directly.
|