Only the latest release of each package is actively supported with security fixes. If you are using an older version, please upgrade before reporting.
Please do not report security vulnerabilities through public GitHub issues, pull requests, or discussions.
If you believe you have found a security vulnerability in OpenCLI, please open a security advisory in this repository. This allows us to assess and patch the issue before any public disclosure.
When reporting, please include:
- A clear description of the vulnerability and its potential impact.
- The affected package(s) and version(s).
- Steps to reproduce or a minimal proof of concept.
- Any relevant logs, error messages, or screenshots.
The more detail you provide, the faster we can triage and resolve the issue.
Once a report is received:
- We will acknowledge receipt within 72 hours.
- We will investigate and keep you informed of our progress.
- If the vulnerability is confirmed, we will work on a fix and coordinate a release.
- We will publicly disclose the vulnerability after a patch is available, crediting you unless you prefer to remain anonymous.
This policy covers all packages published under the @opencli scope on npm and the source code in this repository. Third-party dependencies are out of scope — please report those directly to their respective maintainers.
We appreciate responsible disclosure. Security researchers who help us keep OpenCLI safe will be acknowledged in the release notes of the corresponding fix, unless they request otherwise.