Do not open GitHub issues for security vulnerabilities.
If you discover a security vulnerability in micro-requester, please report it responsibly by emailing:
π§ iimuhammad.rashed@gmail.com
Include:
- Type of vulnerability
- Location in code (file, function, line)
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We'll acknowledge your report within 48 hours and work with you on a fix.
β
Keep dependencies up-to-date
β
Run security audits (npm audit)
β
Follow secure coding practices
β
Respond promptly to reported vulnerabilities
β
Document security considerations
β Don't use micro-requester for sensitive data without TLS
β Don't hardcode credentials in client config
β Don't ignore SSL/TLS certificate errors
- undici β Maintained by Node.js core team, actively audited
We monitor:
- npm audit β Run on every PR and release
- Dependabot β Automatic dependency updates
- GitHub Security Alerts β Real-time notifications
Security updates are released immediately. Patch versions (0.x.Z) are reserved for security fixes.
Correlation IDs help identify malicious requests:
const client = createClient({
service: 'api',
base: 'https://api.example.com',
getReqId: () => requestContext.getStore()?.requestId,
});Always set appropriate timeouts:
const client = createClient({
service: 'api',
base: 'https://api.example.com',
timeoutMs: 5000, // 5 second timeout
});Sensitive headers are automatically sanitized in logs:
// Authorization headers, cookies, API keys are NOT logged
const client = createClient({
logger: { info: console.log },
defaultHeaders: {
Authorization: 'Bearer token...', // Safe - not logged
},
});Always use HTTPS in production:
// β Development only
const devClient = createClient({
base: 'http://localhost:3001',
});
// β
Production
const prodClient = createClient({
base: 'https://api.example.com',
});Don't expose sensitive error details to clients:
try {
const user = await client.get(`/users/${id}`);
} catch (error) {
// β
Safe - don't expose internal errors
logger.error('User fetch failed', {
userId: id,
statusCode: (error as any).statusCode,
});
// β Unsafe - exposes internals
res.status(500).json(error);
}micro-requester@0.1.0 is a new release. No known vulnerabilities.
| Version | Status | Notes |
|---|---|---|
| 0.1.0+ | β Active | Current release |
| < 0.1.0 | N/A | Pre-release |
- Security Issues: iimuhammad.rashed@gmail.com
- General Questions: GitHub Issues
- Discussions: GitHub Discussions
Thank you for helping keep micro-requester secure. π