We take security seriously and provide security updates for the following versions:
| Version | Supported |
|---|---|
| 0.8.x | ✅ |
| 0.7.x | ✅ |
| < 0.7 | ❌ |
We greatly appreciate security research and responsible disclosure of vulnerabilities. If you discover a security vulnerability in eserstack, please report it to us promptly.
Please DO NOT report security vulnerabilities through public GitHub issues. Instead, use one of the following methods:
- GitHub Security Advisories (Preferred): Use GitHub's private vulnerability reporting feature
- Email: Send details to [email protected]
When reporting a vulnerability, please provide:
- A clear description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any suggested mitigations or fixes
- Your contact information for follow-up
- Initial Response: We will acknowledge receipt within 48 hours
- Status Update: We will provide a status update within 7 days
- Resolution: We aim to resolve critical vulnerabilities within 30 days
When using eserstack, please follow these security best practices:
- Validate all service factory functions
- Avoid registering sensitive data directly as singleton services
- Use proper error handling in service factories
- Don't expose internal services through public APIs
- Never commit sensitive configuration data to version control
- Use environment variables for secrets and credentials
- Validate all configuration inputs
- Use secure defaults for configuration options
- Always validate input data before processing
- Use proper error boundaries to prevent information leakage
- Sanitize user-provided data before parsing
- Be cautious with dynamic imports and code execution
- Validate file paths to prevent directory traversal attacks
- Use proper permissions and access controls
- Avoid processing untrusted file contents without validation
- Implement resource limits for file operations
eserstack includes several security features:
- Input Validation: Built-in validation for service tokens and configuration
- Error Boundaries: Proper error handling to prevent information disclosure
- Type Safety: Strong TypeScript typing to prevent common vulnerabilities
- Secure Defaults: Conservative default configurations
- Dependency Isolation: Controlled dependency injection to prevent unauthorized access
The collector module uses dynamic imports which could potentially be exploited if file paths are not properly validated. Always validate module paths before using the collector.
Configuration files are loaded and parsed dynamically. Ensure configuration files come from trusted sources and validate their contents.
Service factory functions in the DI container execute arbitrary code. Only register trusted factory functions.
Security updates will be:
- Released as patch versions for supported major versions
- Announced through GitHub Security Advisories
- Documented in the CHANGELOG.md with security impact noted
- Tagged with appropriate CVE numbers when applicable
For general security questions or to report non-critical security concerns, you can:
- Open a GitHub Discussion in the Security category
- Contact the maintainers through the issue tracker
- Email us at [email protected]
Thank you for helping keep eserstack and its users safe!