We release patches for security vulnerabilities. Currently supported versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to: [INSERT-EMAIL]
Include:
- Type of vulnerability
- Full paths of affected source files
- Location of affected code (tag/branch/commit)
- Step-by-step instructions to reproduce
- Proof-of-concept or exploit code (if possible)
- Impact of the issue
- Acknowledgment within 48 hours
- Regular updates on progress
- Credit for discovery (if desired)
When using this library:
- Validate All Inputs: Even though the library has validation, always validate user inputs in your application
- Browser Security: Ensure your application runs over HTTPS
- Content Security Policy: Configure appropriate CSP headers
- Model Sources: Only load models from trusted CDNs
- Data Privacy: Remember that while processing is local, model downloads require network access
This library processes data client-side, but be aware:
- LLM models can hallucinate data
- Validation reduces but doesn't eliminate hallucinations
- Always verify extracted data for sensitive use cases
- Model downloads happen over the network
- Report received
- Issue confirmed and assessed
- Patch developed
- Patch tested
- Security advisory published
- Patch released
We aim to address critical vulnerabilities within 7 days.