| Version | Supported |
|---|---|
| Latest release on npm | Yes |
dev branch |
Yes (pre-release) |
| Older tags | Best effort |
Check the current version: npm view @logicplanes/specui version or Releases.
Please do not open a public GitHub issue for security bugs.
Use one of these channels:
- GitHub Private Security Advisory (preferred) — maintainers can coordinate fixes and CVE attribution.
- If you cannot use Advisories, open a minimal private report via Logicplanes org contact (see repo About / org profile) with:
- Affected version (
specui --versionor npm version) - Steps to reproduce
- Impact (data exposure, RCE, path traversal, etc.)
- Affected version (
We aim to acknowledge reports within 5 business days and ship fixes via dev → prod with changelog.json when confirmed (docs/RELEASING.md).
In scope:
- The
@logicplanes/specuiCLI (file I/O, network fetches forget/load, MCP server) - GitHub Actions workflows in this repository (secret handling, supply chain)
- The published docs site build pipeline
Out of scope (report to upstream):
- Third-party registries (e.g. shadcn) you point
specui getat - Your own application code that consumes
.specui/
- Do not commit npm tokens, registry credentials, or private registry URLs with secrets.
- CI publish uses repo secret
NPM_TOKENonly — rotate if exposed.
We follow coordinated disclosure: credit reporters in the release notes when they agree.