- Supported Versions
- Reporting a Vulnerability
- Disclosure Policy
- Security Measures
- EU Cyber Resilience Act (CRA) Compliance
- Further Reading
Only the latest major version receives security patches. Older major versions are unsupported.
| Version | Supported |
|---|---|
| Latest major | β |
| Older majors | β |
Do not open a public GitHub issue for security vulnerabilities.
Use the Report a vulnerability button in the Security tab of this repository. This keeps the report private until a fix is ready.
We will acknowledge your report within 72 hours and aim to release a fix or mitigation within 90 days. We will notify you before public disclosure.
| Milestone | Commitment |
|---|---|
| Acknowledgement | Within 72 hours |
| Fix or mitigation | Within 90 days |
| Public disclosure | After fix is released |
This project follows the Coordinated Vulnerability Disclosure model.
We maintain security through automated scanning, dependency management, and secure development practices.
Tool: CodeQL
Location: .github/workflows/security.yml
Frequency: On every push to next, all PRs, and weekly schedule
What it does: Performs static analysis to detect security vulnerabilities (TOCTOU race conditions, unvalidated network data, injection risks, etc.)
Where to see results: GitHub Security β Code scanning
Tool: Dependabot
Location: .github/dependabot.yml
Frequency: Weekly (Mondays 06:00 UTC+2)
What it does:
- Scans
package.jsonfor vulnerable dependency versions - Creates automated PRs with security updates
- Pins critical versions (e.g.,
@playwright/test@1.59.1,typescript@5.6.3) to prevent breaking updates - Configured ignore rules prevent incompatible versions from being installed
Dependency Pinning:
@types/node: kept at 24.x (β₯25.0.0 incompatible with Angular output-target)typescript: pinned to 5.6.3 (5.7.0+ breaks compilation)@playwright/test: pinned to 1.59.1 (visual regression testing requires exact version)lottie-web: pinned to 5.8.1 (all upgrades cause animation breakage)
Where to see results: GitHub Security β Dependabot alerts
Format: npm package.json + package-lock.json
Location: Root repository and each workspace package
Contents:
- All runtime dependencies with versions (shipped to consumers)
- Build and development dependencies (build-time only)
- Locked versions in
package-lock.jsonensure reproducible builds
How to generate a manifest:
npm ls # View dependency tree
npm audit # Check for known vulnerabilities
npm ls --all # Include transitive dependenciesReproducible Builds:
package-lock.jsonlocked and committed to ensure identical installs across environmentsnpm ci(clean install) used in CI instead ofnpm install- Monorepo managed by Turborepo with deterministic task execution
Release Provenance:
release.ymlpublishes packages with GitHub provenance attestation- npm packages include proof that they were built and signed by GitHub Actions
- Consumers can verify packages were built from this repository
Version Control:
- All commits are tagged for releases (e.g.,
v1.2.3) - GitHub release notes document changes for each version
- Git history is immutable and auditable
Access Control:
- Only GitHub Actions workflows can publish to npm
- No manual npm access tokens needed
- OIDC token exchange provides short-lived, scoped authentication
This project follows practices required by the EU Cyber Resilience Act for medium/high-risk software:
| Requirement | Implementation |
|---|---|
| Vulnerability management | Private disclosure via GitHub Security Advisories (72h response) |
| Dependency scanning | Dependabot with weekly scans and automated patch PRs |
| Code analysis | CodeQL SAST on every push/PR and weekly schedule |
| Secure development | Branch protection, code review, CI/CD gates (lint, test, build) |
| Incident response | 72h acknowledgement, 90d fix timeline for reported vulnerabilities |
| SBOM / Transparency | package.json + package-lock.json document all dependencies |
| Aspect | Policy |
|---|---|
| Supported range | Only the latest major version receives patches |
| Patch frequency | Security patches released within 90 days |
| EOL status | Older major versions no longer receive updates |
| Breaking changes | Communicated via changelog and release notes |
- Pre-release scanning: CodeQL and Dependabot checks on all incoming PRs
- Changeset review: Core team reviews all proposed version changes
- Build verification: Automated build, lint, and test suite runs before release
- Release publication: GitHub Actions publishes with provenance attestation
- Disclosure: Release notes and CHANGELOG.md updated with all changes
For security concerns not covered by this policy, email the maintainers (see CONTRIBUTING.md for contact info).
For more information on secure development in this project:
- CONTRIBUTING.md β Vulnerability reporting and responsible disclosure
- ARCHITECTURE.md β CI/CD Pipeline β Security scanning workflows and automation
- DEVELOPMENT.md β Development setup and local testing
- STYLE_GUIDE.md β Security β Code patterns that avoid common vulnerabilities