We actively support the following versions of the MSRP Node.js Library:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
We take security vulnerabilities seriously. If you discover a security vulnerability in this project, please report it responsibly.
- Do NOT create a public GitHub issue for security vulnerabilities
- Email: Send details to [email protected] with subject "Security Vulnerability - MSRP Node.js Library"
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: We'll acknowledge receipt within 48 hours
- Assessment: We'll assess the vulnerability within 5 business days
- Updates: We'll provide regular updates on our progress
- Resolution: We'll work to resolve critical vulnerabilities within 30 days
- Credit: We'll credit you in the security advisory (if desired)
When using this library:
- Keep Updated: Always use the latest version
- Dependencies: Regularly update dependencies
- Network Security: Use TLS/SSL in production
- Input Validation: Validate all inputs to MSRP methods
- Access Control: Implement proper access controls
- Monitoring: Monitor for unusual network activity
This library includes:
- Input validation for MSRP messages
- Protection against malformed SDP
- Resource limits to prevent DoS
- Secure default configurations
- Comprehensive error handling
We use:
- Dependabot: Automated dependency updates
- npm audit: Regular vulnerability scanning
- GitHub Security Advisories: Vulnerability tracking
- CodeQL Analysis: Static code analysis (if enabled)
- We follow responsible disclosure practices
- Security fixes are prioritized and released quickly
- Public disclosure occurs after fixes are available
- We maintain a security advisory for each vulnerability
Thank you for helping keep the MSRP Node.js Library secure! 🔒