Skip to content

scormflow/ScormFlow

BranchesTags

Repository files navigation

Security Policy

Reporting a vulnerability

Please do not open a public GitHub issue for security vulnerabilities.

Report privately via GitHub Security Advisories:

Security → Advisories → Report a vulnerability

Or email the maintainers directly. We will acknowledge receipt within 72 hours and aim to publish a fix within 30 days of confirmation.

Supported versions

Until a 1.0.0 release, only the latest minor version receives security fixes.

Scope

In scope:

  • The HTTP API under /api/v1/*
  • The runtime bridge served from /runtime.js
  • The standalone player route at /play/:attemptId
  • The Prisma schema and migrations
  • The Docker image published from this repository

Out of scope:

  • Vulnerabilities in third-party SCORM courses played through the engine
  • Misconfiguration on the operator's side (e.g. permissive CORS in production, weak JWT_SECRET)

About

Modern, modular SCORM runtime engine for TypeScript. Vendor-neutral REST API + tracking engine for SCORM 1.2 and 2004 — embed in any Node.js app or run with docker compose up. Stripe-style for SCORM: bring your own player, or pair with the companion frontend SDK at scorm-engine-client.

Topics

nodejs docker tracking typescript rest-api postgresql openapi edtech lms xapi scorm elearning fastify prisma scorm12 scorm2004 cmi scorm-engine scorm-2004 scorm-12

Security policy

Security policy
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages