We actively support and provide security updates for the following versions:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
The json-schema-diff team takes security seriously. If you discover a security vulnerability, please follow these steps:
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Send a detailed report to andrew@ecosyste.ms with:
- Subject:
[SECURITY] json-schema-diff - [Brief Description] - Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested fix (if you have one)
- Your contact information for follow-up
Please provide as much information as possible:
- Affected versions
- Attack vectors
- Proof of concept (if safe to share)
- Environmental details (Ruby version, OS, etc.)
- Any relevant configuration details
- 24-48 hours: We will acknowledge receipt of your report
- Initial assessment: Within 1 week of acknowledgment
- Status updates: Weekly until resolution
We will:
- Confirm the vulnerability exists
- Assess the severity and impact
- Develop a fix and mitigation strategy
- Test the fix thoroughly
- Coordinate disclosure timeline
- High/Critical: Immediate fix and release
- Medium: Fix within 30 days
- Low: Fix in next regular release cycle
The json-schema-diff library processes JSON files and JSON Schema documents:
- JSON parsing: Validates JSON syntax and structure
- Schema validation: Ensures schema conforms to JSON Schema specification
- Path traversal: Validates file paths to prevent directory traversal attacks
- Memory usage: Guards against extremely large JSON files that could cause DoS
Areas that warrant security attention:
- JSON parsing: Malformed JSON could cause parsing errors or crashes
- Schema complexity: Deeply nested schemas could cause stack overflow
- File operations: Reading files requires proper path validation
- Regular expressions: Pattern matching should be safe from ReDoS attacks
When using json-schema-diff in applications:
- Validate input: Don't trust user-provided file paths or JSON content
- Handle errors: Properly catch and handle parsing exceptions
- Limit resources: Implement timeouts and memory limits for large files
- Sanitize output: Be careful when displaying diff results in web applications
We follow coordinated disclosure principles:
- Private reporting allows us to fix issues before public disclosure
- Reasonable timeline for fixes (typically 90 days maximum)
- Credit and recognition for responsible reporters
- Public disclosure after fixes are available
After a fix is released:
- Security advisory published on GitHub
- CVE requested if applicable
- Release notes include security information
- Community notification through appropriate channels
Security updates are announced through:
- GitHub Security Advisories
- RubyGems security alerts
- Release notes and CHANGELOG
- Project README updates
To stay secure:
- Monitor our security advisories
- Update regularly to the latest version
- Review release notes for security fixes
- Subscribe to GitHub notifications for this repository
Security Contact: andrew@ecosyste.ms
Response Time: We aim to acknowledge security reports within 24-48 hours
Thank you for helping keep json-schema-diff and its users safe!