Please do not open a public issue for security vulnerabilities.
Report privately through GitHub's private vulnerability reporting: the repository's Security tab → Report a vulnerability.
Include the affected version, a description of the issue, and steps to reproduce. You can expect an initial acknowledgement within a few days.
pagespring is pre-1.0 and under active development. Security fixes land in the latest tagged release; pin to a tagged release and upgrade promptly when a fix ships.
pagespring is a local CLI that fetches and parses remote documentation. It needs no credentials — there are no API keys or secrets to handle. The most security-relevant surfaces are:
pagespring.http— the fetch layer (stdliburllib, plain GETs).- Archive extraction (
archive_download) — zips extract viazipfile's sanitizedextractall; tars use thedataextraction filter. - Content parsing — BeautifulSoup for HTML,
json/yaml.safe_loadfor specs; deliverables are written as inert files, never executed.