This is a personal project. If you find a security issue, please do not open a public issue or PR. Instead, report it privately using GitHub's private vulnerability reporting:
- Go to the Security tab of this repo
- Click Report a vulnerability
- Fill in the details (proof of concept, affected paths, impact)
I'll triage as time permits — this isn't a commercial product and I don't have an SLA, but I'll respond within a reasonable timeframe (typically a week) and keep you in the loop on the fix.
In-scope: code in this repository. Out-of-scope: third-party services (Google OAuth, Firebase, EAS, etc.) the project integrates with — report those directly to the relevant vendor.
If the report leads to a fix, I'd appreciate giving me time to ship the patch before public disclosure. Credit will be given in release notes if you'd like it (let me know your preferred name/handle).