| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
Security fixes are released as patch versions (e.g. 1.0.1) when applicable.
Do not open a public GitHub issue for security vulnerabilities.
- Use GitHub Security Advisories (preferred), or contact the maintainer privately via GitHub.
- Include: affected version, steps to reproduce, and impact (e.g. code execution, data exposure).
- Avoid posting exploit details, payloads, or live attack demos in public channels until a fix is available.
We aim to acknowledge reports within a reasonable timeframe and coordinate disclosure after a fix or mitigation is ready.
| In scope | Out of scope |
|---|---|
The scriptdx library code shipped in the npm package (dist/) |
The static demo under www/ (hosting, CDN, third-party assets) |
| Documented public API in docs/API.md | Applications that depend on scriptdx (consumer CLI scripts, CI pipelines) |
| Build/tooling in this repo only if it affects published artifacts | Social engineering, npm account compromise, misconfigured .env in consumer projects |
scriptdx writes ANSI-colored output to stdout/stderr and does not open network sockets or read arbitrary files by design. Reports about terminal escape sequences in untrusted input strings passed to logging helpers are welcome if you believe they enable misleading UI or terminal abuse in realistic CLI usage.
- Pin semver ranges in
package.jsonand review changelogs on upgrades. - Do not pass untrusted user input directly into terminal output without sanitization if your threat model requires it.
- Keep Node.js and dependencies updated in applications that embed this library.