We release patches for security vulnerabilities. Currently supported versions:
| Version | Supported |
|---|---|
| 0.9.x | ✅ |
| < 0.9 | ❌ |
We take the security of tsutils seriously. If you believe you have found a security vulnerability, please report it to us privately.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via GitHub's private vulnerability reporting:
- Navigate to the Security Advisories page
- Click "Report a vulnerability"
- Provide details about the vulnerability
Alternatively, you can email the maintainers directly.
Please include the following information in your report:
- Type of vulnerability (e.g., command injection, dependency vulnerability, etc.)
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Varies by severity
- Critical: Within 7 days
- High: Within 30 days
- Medium/Low: Next scheduled release
When contributing to this project:
- Never commit secrets: API keys, tokens, passwords, or other credentials
- Validate inputs: Always validate and sanitize user inputs
- Use shell escaping: When executing shell commands, use
escapeShellArg()fromsrc/utils/shell.ts - Review dependencies: Check for known vulnerabilities before adding new dependencies
- Follow least privilege: Request minimal permissions needed
- Keep dependencies updated: Regularly update dependencies to patch security issues
When using tsutils:
- Keep updated: Always use the latest stable version
- Review permissions: Understand what permissions the tool requires
- Verify installation: Install from official sources only
- Use in trusted environments: Run in environments you control
- Report issues: Report any suspicious behavior
This project includes protection against command injection:
- All shell arguments are escaped using
escapeShellArg()utility - User inputs are validated before being passed to shell commands
- File paths are resolved to prevent directory traversal
- Minimal runtime dependencies (only
commander) - Regular dependency updates
- Automated security scanning (planned)
- TypeScript strict mode enabled
- ESLint security rules enforced
- Regular code reviews
- Automated testing with high coverage (>94%)
This tool executes external commands including:
- Git commands
- Dart SDK commands (format, analyze)
- DCM (Dart Code Metrics)
- Claude CLI
- Melos
Risk Mitigation:
- Commands are executed with escaped arguments
- File paths are validated
- External tools are optional and clearly documented
- Users must explicitly install external dependencies
This tool reads and modifies files in your repository:
- Git repository operations
- Dart source file analysis
- Configuration file reading
Risk Mitigation:
- Operations are scoped to current repository
- No external network access except for package updates
- Clear documentation of file system operations
Our CI/CD workflows follow security best practices:
- Minimal required permissions per job
- No third-party actions with write access
- Secrets managed through GitHub Secrets
- Actions should be pinned to commit SHAs (improvement in progress)
When a security vulnerability is identified:
- Assessment: Evaluate severity and impact
- Fix Development: Develop and test fix in private
- Advisory: Create GitHub Security Advisory
- Release: Release patched version
- Notification: Notify users via:
- GitHub Security Advisories
- Release notes
- README update (for critical issues)
- Public Disclosure: After fix is available and users have time to update
We use the following tools to maintain security:
- TypeScript: Type safety to prevent common errors
- ESLint: Static code analysis
- Vitest: Comprehensive test coverage
- GitHub Dependabot: Dependency vulnerability scanning (planned)
- CodeQL: Security code scanning (planned)
We thank security researchers and users who responsibly disclose vulnerabilities to help keep this project secure.
For security concerns that don't require immediate attention, you can also open a discussion in the repository's Discussions section with the "security" label.