| Package | Version | Supported |
|---|---|---|
| @t-req/core | 0.2.x | ✅ |
| @t-req/app | 0.3.x | ✅ |
t-req is an HTTP request tool that runs locally on your machine. It parses .http files and executes requests against URLs you specify. It also provides a local server and optional web dashboard for development workflows.
t-req does not sandbox request execution or command resolvers. The configuration system (treq.json) exists to customize behavior, not to provide security isolation.
If you need true isolation, run t-req inside a Docker container or VM.
The treq serve command starts a local HTTP server for multi-language access to t-req functionality.
- Binds to
localhostby default - Intended for local development only
- Do not expose to the public internet — it is not hardened for public access
The web dashboard (treq open --web) is a development tool for visual debugging.
- Connects to the local server only
- Not designed for production or public deployment
t-req can execute command resolvers defined in your configuration. These run through whitelisted interpreters only (node, bun, tsx, python, ruby, go, sh, bash) with execution timeouts and output limits.
Resolvers execute your scripts with your environment — they are not sandboxed.
The following are not considered vulnerabilities:
| Category | Rationale |
|---|---|
| HTTP request destinations | You control what URLs your .http files target |
.http file contents |
User-authored files are user responsibility |
| Command resolver behavior | Resolvers run your scripts in your environment |
| Config file modifications | Users control their own treq.config.ts |
| Environment variable exposure | Resolvers inherit your environment by design |
We take security seriously. If you believe you have found a security vulnerability, please report it responsibly.
Email: security@tensorixlabs.com
Or use GitHub Security Advisories: Report a Vulnerability
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- (Optional) Suggested fix or mitigation
- Acknowledge your report within 48 hours
- Assess severity and provide an estimated timeline
- Keep you informed of progress toward a fix
- Credit you in the advisory (unless you prefer anonymity)
Please do not disclose the vulnerability publicly until we have had a chance to address it.
Use a supported version of Node.js (v18+) or Bun. Keep t-req packages updated to receive security fixes.
.http files may contain secrets (API keys, tokens). Use environment variables and .env files instead of hardcoding credentials:
GET https://api.example.com/data
Authorization: Bearer {{TOKEN}}When using treq serve:
- Do not bind to
0.0.0.0or expose ports publicly - Use behind a firewall or VPN if remote access is needed
- Consider running in a container for additional isolation