@hspotted/dataverse-dev-client is a development-only package.

It must never be statically imported from production-safe application code and must never be bundled into customer production builds.

• Token leakage through logs, error messages, or network responses
• Confidential authentication flows (client secret, application user, certificate)
• Secrets committed to source code or package contents
• Package tampering or supply-chain compromise
• Redirect URI vulnerabilities enabling token theft
• MSAL cache exposure
• Inclusion of .env files or credentials in package tarball

• A consumer application that deliberately imports this package in production (misuse, not a vulnerability in this package)
• MSAL or Microsoft Identity Platform security issues (report to Microsoft)

Do not report security vulnerabilities through public GitHub issues.

Please use GitHub's private vulnerability reporting to disclose vulnerabilities confidentially.

Include in your report:

• A description of the vulnerability
• Steps to reproduce
• Affected versions
• Potential impact
• Suggested remediation if known

Expected response: Initial acknowledgement within 5 business days.

This package:

• Never logs access tokens
• Never exposes Authorization headers in thrown errors
• Never stores tokens outside of MSAL's managed cache
• Never implements confidential client authentication flows
• Never includes client secrets, refresh tokens, or private keys

Consumers should verify package integrity using npm's built-in mechanisms:

npm audit

Review npm pack --dry-run output before publishing to ensure no sensitive files are included in the tarball.