gsql-dev/gsql is currently in v0.x. Only the latest minor version receives security fixes. Pinning to a specific patch is recommended; breaking changes may ship in any v0.x release.

Please do not open a public GitHub issue for security reports.

Use GitHub's private vulnerability reporting feature to disclose privately. If that channel is unavailable, contact the maintainer directly through the email listed in the project's git history.

When reporting, please include:

1. The affected version (go list -m github.com/gsql-dev/gsql)
2. A minimal reproduction (Go code + the resulting SQL output from Build())
3. The expected vs. actual behavior
4. Your assessment of impact (read / write / privilege escalation / DoS)

You should expect an initial acknowledgement within 7 days. We aim to ship a fix within 30 days for confirmed issues, and will coordinate disclosure timing with the reporter.

• SQL injection through any public API that accepts values (Eq, Neq, Gt, Gte, Lt, Lte, In, Like, Val, ValIf, etc.)
• Bypasses of the identifier validator in NewTable / NewCol
• Memory-safety issues triggered by user-supplied values
• Crashes / panics reachable from public APIs given valid identifiers

• Calling NewCol / NewTable with attacker-controlled strings. Identifiers must be source-code constants. The library validates them, but supplying user input to these functions is a misuse documented in the README.
• LIKE wildcard semantics (%, _ in user-supplied LIKE patterns). These are intentional LIKE syntax, not injection.
• Issues in database/sql drivers or the database server.
• Denial-of-service from extremely large slices passed to In(...) or BulkInsert.Row(...) — placeholder-limit guidance is in the README.

The repository runs the following on every PR:

• go test -race on Go 1.22 through current
• gosec static analysis
• govulncheck against the Go vulnerability database
• Native Go fuzzing on the identifier validator and condition builders
• Integration tests against real MySQL and PostgreSQL instances (Dockerized)