Skip to content

Security: logicplanes/specui

Security

SECURITY.md

Security policy

Supported versions

Version Supported
Latest release on npm Yes
dev branch Yes (pre-release)
Older tags Best effort

Check the current version: npm view @logicplanes/specui version or Releases.

Reporting a vulnerability

Please do not open a public GitHub issue for security bugs.

Use one of these channels:

  1. GitHub Private Security Advisory (preferred) — maintainers can coordinate fixes and CVE attribution.
  2. If you cannot use Advisories, open a minimal private report via Logicplanes org contact (see repo About / org profile) with:
    • Affected version (specui --version or npm version)
    • Steps to reproduce
    • Impact (data exposure, RCE, path traversal, etc.)

We aim to acknowledge reports within 5 business days and ship fixes via devprod with changelog.json when confirmed (docs/RELEASING.md).

Scope

In scope:

  • The @logicplanes/specui CLI (file I/O, network fetches for get / load, MCP server)
  • GitHub Actions workflows in this repository (secret handling, supply chain)
  • The published docs site build pipeline

Out of scope (report to upstream):

  • Third-party registries (e.g. shadcn) you point specui get at
  • Your own application code that consumes .specui/

Safe defaults

  • Do not commit npm tokens, registry credentials, or private registry URLs with secrets.
  • CI publish uses repo secret NPM_TOKEN only — rotate if exposed.

Disclosure

We follow coordinated disclosure: credit reporters in the release notes when they agree.

There aren't any published security advisories