We currently support security updates for the latest version of DeckSage.
| Version | Supported |
|---|---|
| Latest | Yes |
| < Latest | No |
If you discover a security vulnerability, please do not open a public issue.
Instead, please report it via GitHub Security Advisories (private vulnerability reporting).
When reporting a vulnerability, please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
We aim to acknowledge security reports within 48 hours and provide an initial assessment within 7 days.
When using DeckSage:
- Keep dependencies up to date:
uv sync - Review API authentication if deploying publicly
- Don't commit API keys or secrets
- Use environment variables for sensitive configuration
- API Keys: Store API keys (e.g.,
OPENROUTER_API_KEY) in environment variables, not in code - Data Files: Large data files are stored locally/S3, not in git
- Dependencies: Regular dependency updates via Dependabot