The following versions of Terroir Core are currently being supported with security updates:

The Terroir Core team takes security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.

To report a security vulnerability, please follow these steps:

1. DO NOT create a public GitHub issue for the vulnerability.
2. Email your findings to [email protected] (or create a private security advisory on GitHub).
3. Include the following information:
   • Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
   • Full paths of source file(s) related to the manifestation of the issue
   • The location of the affected source code (tag/branch/commit or direct URL)
   • Any special configuration required to reproduce the issue
   • Step-by-step instructions to reproduce the issue
   • Proof-of-concept or exploit code (if possible)
   • Impact of the issue, including how an attacker might exploit the issue

• You will receive a response acknowledging your email within 48 hours.
• We will provide an estimated timeline for addressing the vulnerability.
• We will notify you when the vulnerability is fixed.
• We will publicly acknowledge your responsible disclosure, unless you prefer to remain anonymous.

1. The reported vulnerability is assigned a severity level.
2. A fix is developed and tested.
3. A new version is released with the security fix.
4. The vulnerability is disclosed in the release notes after users have had time to update.

Our CI/CD pipeline includes comprehensive security checks:

1. Dependency Scanning

   • Continuous monitoring with pnpm audit
   • Critical vulnerabilities block deployments
   • Daily scheduled scans for emerging threats

2. Static Application Security Testing (SAST)

   • CodeQL analysis for JavaScript/TypeScript
   • Semgrep with security-focused rulesets
   • Regular security pattern updates

3. Secret Detection

   • TruffleHog scanning on all commits
   • Verified secret detection only
   • Full repository history scanning

4. License Compliance

   • Automated license compatibility checking
   • Blocks incompatible licenses (GPL, AGPL, LGPL, SSPL, BUSL)
   • Production dependency focus

1. Secure Development Lifecycle

   • Security scanning on every PR
   • Mandatory security review for critical changes
   • Signed commits recommended

2. Dependency Management

   • Automated updates via Dependabot
   • Lock file integrity verification
   • Production vs development dependency separation

3. Access Control

   • Limited repository write access
   • Required 2FA for all maintainers
   • Branch protection rules enforced

When using Terroir Core in your projects:

1. Keep Dependencies Updated: Regularly update to the latest version of Terroir Core.
2. Review Security Advisories: Monitor our GitHub repository for security advisories.
3. Validate Inputs: Always validate and sanitize user inputs in your applications.
4. Use Environment Variables: Never hardcode sensitive information in your code.
5. Enable CSP: Use Content Security Policy headers when serving Terroir Core assets.
6. Run Security Scans: Use our security workflow as a template for your projects.

When using dynamic SVG token replacement, ensure that:

• Token values are properly sanitized
• User-provided content is never directly inserted into SVG templates
• CSP headers are configured to prevent inline script execution

When accepting color values from users:

• Validate color formats before processing
• Use the built-in color validation utilities
• Sanitize color values before use in CSS

For any security-related questions that don't need to be private, you can:

• Open a discussion in our GitHub repository
• Tag your issue with the security label (for non-sensitive issues only)

Thank you for helping keep Terroir Core and its users safe!