mirror of
https://github.com/acamarata/temporal-hijri.git
synced 2026-07-01 11:24:29 +00:00
30 lines
1.1 KiB
Markdown
30 lines
1.1 KiB
Markdown
# Security Policy
|
|
|
|
## Supported versions
|
|
|
|
| Version | Supported |
|
|
| --- | --- |
|
|
| 1.x (latest) | Yes |
|
|
| < 1.0 | No |
|
|
|
|
## Reporting a vulnerability
|
|
|
|
temporal-hijri is a pure calendar computation library. It implements the Temporal Calendar Protocol over Hijri calendar data. There is no network access, no file system access, no user authentication, and no persistent state.
|
|
|
|
Security vulnerabilities are unlikely given the surface area. That said, if you find something:
|
|
|
|
1. **Do not open a public issue.** That exposes the vulnerability before a fix is available.
|
|
2. Email **aric.camarata@gmail.com** with the subject line "Security: temporal-hijri".
|
|
3. Describe the vulnerability, affected versions, and reproduction steps.
|
|
4. You will receive a response within 7 days.
|
|
|
|
## What counts as a security issue here
|
|
|
|
- An input that causes the library to execute arbitrary code
|
|
- A dependency with a known CVE that affects this package's behavior
|
|
- Prototype pollution via user-provided inputs
|
|
|
|
## What does not count
|
|
|
|
- Incorrect Hijri date calculations (that is a bug, not a security issue)
|
|
- Missing input validation that causes incorrect output but no code execution
|