We actively support the following versions of @apical-ts/craft with security updates:
| Version | Supported |
|---|---|
| 0.x.x | ✅ |
We take security vulnerabilities seriously. If you discover a security vulnerability in @apical-ts/craft, please report it responsibly.
- Do NOT create a public GitHub issue for security vulnerabilities
- Do NOT disclose the vulnerability publicly until it has been addressed
Instead, please report security vulnerabilities by:
- Email: Send details to the maintainer at gunzip's GitHub profile
- GitHub Security Advisories: Use GitHub's security advisory feature for this repository
Please include the following information in your security report:
- A clear description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any suggested fixes or mitigations
- Your contact information for follow-up questions
- Initial Response: We will acknowledge receipt of your report within 48 hours
- Assessment: We will provide an initial assessment within 7 days
- Resolution: We aim to resolve critical vulnerabilities within 30 days
- Disclosure: We will coordinate responsible disclosure after fixes are available
When using @apical-ts/craft:
- Keep Dependencies Updated: Regularly update to the latest version
- Review Generated Code: Always review generated client code before using in production
- Validate Inputs: Ensure OpenAPI specifications are from trusted sources
- Secure Secrets: Never commit API keys or secrets to version control
- Use HTTPS: Always use HTTPS for API communications in generated clients
@apical-ts/craft includes security-conscious features:
- Input Validation: Generated Zod schemas provide runtime validation
- Type Safety: Full TypeScript typing prevents many common vulnerabilities
- Secure Headers: Proper handling of authentication headers in generated clients
- No Arbitrary Code Execution: The generator only processes OpenAPI specifications
We use:
- Dependabot: Automated dependency updates for known vulnerabilities
- CodeQL: Static analysis for security issues
- npm audit: Regular auditing of dependency vulnerabilities
We appreciate security researchers who responsibly disclose vulnerabilities. Contributors who help improve our security will be acknowledged in our release notes (with their permission).
If you have questions about this security policy, please create a GitHub Discussion or contact the maintainers.