| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1.0 | ❌ |
Use GitHub Security Advisories only:
Do not report vulnerabilities in public issues.
The /api/validate endpoint runs templated shell commands (curl, aws, python) using user-provided values via Node's child-process exec; the current denylist sanitizer is best-effort. Run SecretLens only in trusted local environments and only against credentials you own or are authorized to test. Hardening to spawn() with argument arrays is tracked as follow-up work.