We actively support the following versions with security updates:
| Version | Supported |
|---|---|
| 2.0.x | ✅ |
| 1.10.x | ✅ |
| 1.9.x | ✅ |
| 1.8.x | ✅ |
| < 1.8 | ❌ |
We take security vulnerabilities seriously. If you discover a security vulnerability, please follow these steps:
Do not report security vulnerabilities through public GitHub issues. This could expose the vulnerability before a fix is available.
Please report security vulnerabilities by emailing the maintainer:
- Email: [Check GitHub profile for contact information]
- Subject:
[SECURITY] ngxsmk-datepicker vulnerability report
Please include the following information in your report:
- Type of vulnerability (XSS, injection, etc.)
- Full paths of source file(s) related to the vulnerability
- Location of the affected code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability
- Suggested fix (if available)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity, typically 30-90 days
- We will acknowledge receipt of your report within 48 hours
- We will keep you informed of the progress
- Once a fix is ready, we will:
- Release a security patch
- Credit you (if desired) in the security advisory
- Publish a security advisory on GitHub
- Keep dependencies updated: Regularly update
ngxsmk-datepickerto the latest version - Review dependencies: Use tools like
npm auditto check for known vulnerabilities - Sanitize inputs: Always validate and sanitize date inputs from user sources
- Use Content Security Policy: Implement CSP headers to prevent XSS attacks
- Input validation: Always validate and sanitize user inputs
- Avoid eval(): Never use
eval()or similar dangerous functions - XSS prevention: Use Angular's built-in sanitization for user-generated content
- Dependency updates: Keep dependencies up to date
- Security headers: Implement proper security headers in your application
The datepicker uses Angular's built-in sanitization for template rendering. However, when using custom templates or dynamic content:
- Always sanitize user-provided date formats
- Use Angular's
DomSanitizerfor any custom HTML - Avoid
innerHTMLwith user content
- The datepicker validates date inputs, but always validate on the server side
- Be cautious with date parsing from strings
- Use proper timezone handling for server communication
We regularly update dependencies to address security vulnerabilities. To check for known vulnerabilities:
npm auditSecurity updates are released as:
- Patch versions (1.8.1, 1.8.2, etc.) for critical security fixes
- Minor versions (1.9.0, 1.9.1, etc.) for non-critical security improvements
We appreciate responsible disclosure of security vulnerabilities. Contributors who report valid security issues will be credited (if desired) in our security advisories.