typicode · deprrous · Mar 7, 2026 · Copilot · Mar 7, 2026 · Copilot
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,76 @@
+<!-- GITHUB SECURITY ADVISORY SUBMISSION -->
+<!-- Title:              Silent Data Loss via Write Coalescing in steno (lowdb dependency) -->
+<!-- Severity:           Medium -->
+<!-- Ecosystem:          npm -->
+<!-- Package name:       lowdb -->
+<!-- Affected versions:  <= 7.0.1 -->
+<!-- Patched versions:   (leave blank) -->
+<!-- CWE:                CWE-362 -->
+
+## Summary
+
+lowdb v7.0.1's async file adapter depends on steno v4.0.2, whose `Writer` silently drops intermediate writes when a write is in progress. All `write()` promises resolve successfully, but only the last queued write is persisted to disk. This is a data integrity violation — callers receive a false durability guarantee, leading to silent data loss under concurrent load.
+
+## Details
+
+When a steno `Writer` is locked (write in progress), subsequent `write()` calls are handled by `#add()` (`steno/lib/index.js`, lines 35-45):
-When a steno `Writer` is locked (write in progress), subsequent `write()` calls are handled by `#add()` (`steno/lib/index.js`, lines 35-45):
+When a steno `Writer` is locked (write in progress), subsequent `write()` calls are handled by `#add()` as implemented in steno v4.0.2 ([source](https://github.com/typicode/steno/blob/v4.0.2/lib/index.js)):
-When a steno `Writer` is locked (write in progress), subsequent `write()` calls are handled by `#add()` (`steno/lib/index.js`, lines 35-45):
+When a steno `Writer` is locked (write in progress), subsequent `write()` calls are handled by `#add()` as implemented in steno v4.0.2 ([source](https://github.com/typicode/steno/blob/v4.0.2/lib/index.js)):
+
+```javascript
+#add(data) {
+    this.#nextData = data;  // OVERWRITES any previously queued data
+    this.#nextPromise ||= new Promise((resolve, reject) => {
+        this.#next = [resolve, reject];
+    });
+    return new Promise((resolve, reject) => {
+        this.#nextPromise?.then(resolve).catch(reject);
+    });
+}
+```
+
+If writes A, B, C are queued while write #1 is in progress:
+1. `#add(A)` → `#nextData = A`
+2. `#add(B)` → `#nextData = B` (A silently dropped)
+3. `#add(C)` → `#nextData = C` (B silently dropped)
+4. Write #1 completes → only C is written
+5. **All three promises resolve** — callers of `write(A)` and `write(B)` believe their data was persisted
+
+## PoC
+
+```javascript
+import { Writer } from 'steno';
+const writer = new Writer('test.json');
+
+// Fire 10 concurrent writes
+const promises = [];
+for (let i = 0; i < 10; i++) {
+    promises.push(writer.write(JSON.stringify({ id: i })));
+}
+await Promise.all(promises);
+// All 10 promises resolved ✓
+
+// Read back from disk:
+import fs from 'node:fs';
+const persisted = JSON.parse(fs.readFileSync('test.json', 'utf-8'));
+console.log(persisted); // { id: 9 } — only the LAST write survived
+
+// Writes 0-8 (90%) silently lost despite successful promise resolution
+```
+
+**Tested and confirmed:** 9 out of 10 writes (90%) silently dropped. All 10 `write()` promises resolved successfully, giving callers a false durability guarantee.
+
+## Impact
+
+Any web application using lowdb's async adapter that handles concurrent requests will silently lose user data:
+
+- API returns **200 OK** to the user, but their data is **never persisted**
+- No errors, no warnings — completely silent data loss
+- Under typical web server load (multiple concurrent requests), the **majority** of writes are lost
+- Affects audit logs, user data, configuration changes — anything stored in lowdb
-Any web application using lowdb's async adapter that handles concurrent requests will silently lose user data:
-
- API returns **200 OK** to the user, but their data is **never persisted**
- No errors, no warnings — completely silent data loss
- Under typical web server load (multiple concurrent requests), the **majority** of writes are lost
- Affects audit logs, user data, configuration changes — anything stored in lowdb
+Web applications that use lowdb's async adapter and perform concurrent write or read-modify-write operations without external synchronization (for example, a mutex or explicit write queue) can silently lose user data due to last-write-wins write coalescing:
+
+- API returns **200 OK** to the user, but their data is **never persisted**
+- No errors, no warnings — completely silent data loss
+- Under such concurrent access patterns, intermediate writes may be coalesced so that only the last write in a burst is persisted (last-write-wins), and earlier writes are effectively lost
+- This can affect audit logs, user data, configuration changes — any state stored through lowdb that relies on each write being durably persisted
-Any web application using lowdb's async adapter that handles concurrent requests will silently lose user data:
-
- API returns **200 OK** to the user, but their data is **never persisted**
- No errors, no warnings — completely silent data loss
- Under typical web server load (multiple concurrent requests), the **majority** of writes are lost
- Affects audit logs, user data, configuration changes — anything stored in lowdb
+Web applications that use lowdb's async adapter and perform concurrent write or read-modify-write operations without external synchronization (for example, a mutex or explicit write queue) can silently lose user data due to last-write-wins write coalescing:
+
+- API returns **200 OK** to the user, but their data is **never persisted**
+- No errors, no warnings — completely silent data loss
+- Under such concurrent access patterns, intermediate writes may be coalesced so that only the last write in a burst is persisted (last-write-wins), and earlier writes are effectively lost
+- This can affect audit logs, user data, configuration changes — any state stored through lowdb that relies on each write being durably persisted
+
+## Remediation
+
+1. Replace write coalescing with a sequential write queue that persists every write
+2. At minimum, reject or error on coalesced writes instead of silently dropping them
+3. Document the write-coalescing behavior prominently so developers avoid relying on write durability
+
-1. Replace write coalescing with a sequential write queue that persists every write
-2. At minimum, reject or error on coalesced writes instead of silently dropping them
-3. Document the write-coalescing behavior prominently so developers avoid relying on write durability
+### For lowdb users and maintainers
+
+1. When using lowdb's async file adapter, **serialize `db.write`/`db.update` calls per database file** (for example, via an application-level queue or mutex) so that concurrent writes are not issued against the same underlying `Writer` instance.
+2. Provide or recommend an optional **"strict" lowdb adapter** that internally queues every write and ensures each `write()` call is flushed to disk, or clearly recommend the synchronous `JSONFileSync` adapter for workloads that require strong durability.
+3. **Document the async adapter's concurrency and durability characteristics** in lowdb's README and API docs, including the risk of data loss under concurrent writes, and direct users who need stronger guarantees toward safer adapters or serialization patterns.
+
+### Upstream steno remediation (outside this repository)
+
+These changes would need to be implemented in `steno` itself and are listed here for the upstream maintainer:
+
+1. Replace write coalescing with a sequential write queue that persists every write.
+2. At minimum, reject or error on coalesced writes instead of silently dropping them.
+3. Document the write-coalescing behavior prominently so developers avoid relying on write durability.
-1. Replace write coalescing with a sequential write queue that persists every write
-2. At minimum, reject or error on coalesced writes instead of silently dropping them
-3. Document the write-coalescing behavior prominently so developers avoid relying on write durability
+### For lowdb users and maintainers
+
+1. When using lowdb's async file adapter, **serialize `db.write`/`db.update` calls per database file** (for example, via an application-level queue or mutex) so that concurrent writes are not issued against the same underlying `Writer` instance.
+2. Provide or recommend an optional **"strict" lowdb adapter** that internally queues every write and ensures each `write()` call is flushed to disk, or clearly recommend the synchronous `JSONFileSync` adapter for workloads that require strong durability.
+3. **Document the async adapter's concurrency and durability characteristics** in lowdb's README and API docs, including the risk of data loss under concurrent writes, and direct users who need stronger guarantees toward safer adapters or serialization patterns.
+
+### Upstream steno remediation (outside this repository)
+
+These changes would need to be implemented in `steno` itself and are listed here for the upstream maintainer:
+
+1. Replace write coalescing with a sequential write queue that persists every write.
+2. At minimum, reject or error on coalesced writes instead of silently dropping them.
+3. Document the write-coalescing behavior prominently so developers avoid relying on write durability.
+**Note:** This vulnerability originates in the `steno` package (same maintainer). A separate advisory may be appropriate for `steno` itself.
-<!-- GITHUB SECURITY ADVISORY SUBMISSION -->
-<!-- Title:              Silent Data Loss via Write Coalescing in steno (lowdb dependency) -->
-<!-- Severity:           Medium -->
-<!-- Ecosystem:          npm -->
-<!-- Package name:       lowdb -->
-<!-- Affected versions:  <= 7.0.1 -->
-<!-- Patched versions:   (leave blank) -->
-<!-- CWE:                CWE-362 -->
-
-## Summary
-
-lowdb v7.0.1's async file adapter depends on steno v4.0.2, whose `Writer` silently drops intermediate writes when a write is in progress. All `write()` promises resolve successfully, but only the last queued write is persisted to disk. This is a data integrity violation — callers receive a false durability guarantee, leading to silent data loss under concurrent load.
-
-## Details
-
-When a steno `Writer` is locked (write in progress), subsequent `write()` calls are handled by `#add()` (`steno/lib/index.js`, lines 35-45):
-
-```javascript
-#add(data) {
-    this.#nextData = data;  // OVERWRITES any previously queued data
-    this.#nextPromise ||= new Promise((resolve, reject) => {
-        this.#next = [resolve, reject];
-    });
-    return new Promise((resolve, reject) => {
-        this.#nextPromise?.then(resolve).catch(reject);
-    });
-}
-```
-
-If writes A, B, C are queued while write #1 is in progress:
-1. `#add(A)` → `#nextData = A`
-2. `#add(B)` → `#nextData = B` (A silently dropped)
-3. `#add(C)` → `#nextData = C` (B silently dropped)
-4. Write #1 completes → only C is written
-5. **All three promises resolve** — callers of `write(A)` and `write(B)` believe their data was persisted
-
-## PoC
-
-```javascript
-import { Writer } from 'steno';
-const writer = new Writer('test.json');
-
-// Fire 10 concurrent writes
-const promises = [];
-for (let i = 0; i < 10; i++) {
-    promises.push(writer.write(JSON.stringify({ id: i })));
-}
-await Promise.all(promises);
-// All 10 promises resolved ✓
-
-// Read back from disk:
-import fs from 'node:fs';
-const persisted = JSON.parse(fs.readFileSync('test.json', 'utf-8'));
-console.log(persisted); // { id: 9 } — only the LAST write survived
-
-// Writes 0-8 (90%) silently lost despite successful promise resolution
-```
-
-**Tested and confirmed:** 9 out of 10 writes (90%) silently dropped. All 10 `write()` promises resolved successfully, giving callers a false durability guarantee.
-
-## Impact
-
-Any web application using lowdb's async adapter that handles concurrent requests will silently lose user data:
-
- API returns **200 OK** to the user, but their data is **never persisted**
- No errors, no warnings — completely silent data loss
- Under typical web server load (multiple concurrent requests), the **majority** of writes are lost
- Affects audit logs, user data, configuration changes — anything stored in lowdb
-
-## Remediation
-
-1. Replace write coalescing with a sequential write queue that persists every write
-2. At minimum, reject or error on coalesced writes instead of silently dropping them
-3. Document the write-coalescing behavior prominently so developers avoid relying on write durability
-
-**Note:** This vulnerability originates in the `steno` package (same maintainer). A separate advisory may be appropriate for `steno` itself.
+# Security Policy
+
+This project takes security seriously and welcomes responsible disclosure of any vulnerabilities.
+
+## Supported Versions
+
+We aim to support the most recent major versions of this project. Security fixes are generally provided for:
+
+- The latest released major version
+- The previous major version, where feasible
+
+Older versions may no longer receive security updates. If you rely on an unsupported version, consider upgrading to a maintained release.
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability, please report it responsibly and do not disclose it publicly until it has been investigated and fixed.
+
+You can report vulnerabilities via:
+
+- GitHub Security Advisories (recommended): use the "Report a vulnerability" feature in the repository’s **Security** tab, which will create a private advisory thread with the maintainers.
+- Alternatively, contact the maintainers via the email address listed in the repository (e.g., in `README.md` or project metadata), using the subject line `Security vulnerability report`.
+
+When reporting, please include:
+
+- A description of the issue and its potential impact
+- Steps to reproduce (if possible)
+- Any relevant configuration or environment details
+
+We will:
+
+- Acknowledge receipt of your report as soon as possible
+- Investigate the issue and assess its impact
+- Work on a fix and coordinate a responsible disclosure timeline
+- Publish a security advisory with details once a fix is available and users have a reasonable opportunity to update
+
+To avoid exposing users to unnecessary risk, please do not include full exploit proofs-of-concept or detailed attack instructions in public issues or pull requests. Use the private reporting channels above instead.
-<!-- GITHUB SECURITY ADVISORY SUBMISSION -->
-<!-- Title:              Silent Data Loss via Write Coalescing in steno (lowdb dependency) -->
-<!-- Severity:           Medium -->
-<!-- Ecosystem:          npm -->
-<!-- Package name:       lowdb -->
-<!-- Affected versions:  <= 7.0.1 -->
-<!-- Patched versions:   (leave blank) -->
-<!-- CWE:                CWE-362 -->
-
-## Summary
-
-lowdb v7.0.1's async file adapter depends on steno v4.0.2, whose `Writer` silently drops intermediate writes when a write is in progress. All `write()` promises resolve successfully, but only the last queued write is persisted to disk. This is a data integrity violation — callers receive a false durability guarantee, leading to silent data loss under concurrent load.
-
-## Details
-
-When a steno `Writer` is locked (write in progress), subsequent `write()` calls are handled by `#add()` (`steno/lib/index.js`, lines 35-45):
-
-```javascript
-#add(data) {
-    this.#nextData = data;  // OVERWRITES any previously queued data
-    this.#nextPromise ||= new Promise((resolve, reject) => {
-        this.#next = [resolve, reject];
-    });
-    return new Promise((resolve, reject) => {
-        this.#nextPromise?.then(resolve).catch(reject);
-    });
-}
-```
-
-If writes A, B, C are queued while write #1 is in progress:
-1. `#add(A)` → `#nextData = A`
-2. `#add(B)` → `#nextData = B` (A silently dropped)
-3. `#add(C)` → `#nextData = C` (B silently dropped)
-4. Write #1 completes → only C is written
-5. **All three promises resolve** — callers of `write(A)` and `write(B)` believe their data was persisted
-
-## PoC
-
-```javascript
-import { Writer } from 'steno';
-const writer = new Writer('test.json');
-
-// Fire 10 concurrent writes
-const promises = [];
-for (let i = 0; i < 10; i++) {
-    promises.push(writer.write(JSON.stringify({ id: i })));
-}
-await Promise.all(promises);
-// All 10 promises resolved ✓
-
-// Read back from disk:
-import fs from 'node:fs';
-const persisted = JSON.parse(fs.readFileSync('test.json', 'utf-8'));
-console.log(persisted); // { id: 9 } — only the LAST write survived
-
-// Writes 0-8 (90%) silently lost despite successful promise resolution
-```
-
-**Tested and confirmed:** 9 out of 10 writes (90%) silently dropped. All 10 `write()` promises resolved successfully, giving callers a false durability guarantee.
-
-## Impact
-
-Any web application using lowdb's async adapter that handles concurrent requests will silently lose user data:
-
- API returns **200 OK** to the user, but their data is **never persisted**
- No errors, no warnings — completely silent data loss
- Under typical web server load (multiple concurrent requests), the **majority** of writes are lost
- Affects audit logs, user data, configuration changes — anything stored in lowdb
-
-## Remediation
-
-1. Replace write coalescing with a sequential write queue that persists every write
-2. At minimum, reject or error on coalesced writes instead of silently dropping them
-3. Document the write-coalescing behavior prominently so developers avoid relying on write durability
-
-**Note:** This vulnerability originates in the `steno` package (same maintainer). A separate advisory may be appropriate for `steno` itself.
+# Security Policy
+
+This project takes security seriously and welcomes responsible disclosure of any vulnerabilities.
+
+## Supported Versions
+
+We aim to support the most recent major versions of this project. Security fixes are generally provided for:
+
+- The latest released major version
+- The previous major version, where feasible
+
+Older versions may no longer receive security updates. If you rely on an unsupported version, consider upgrading to a maintained release.
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability, please report it responsibly and do not disclose it publicly until it has been investigated and fixed.
+
+You can report vulnerabilities via:
+
+- GitHub Security Advisories (recommended): use the "Report a vulnerability" feature in the repository’s **Security** tab, which will create a private advisory thread with the maintainers.
+- Alternatively, contact the maintainers via the email address listed in the repository (e.g., in `README.md` or project metadata), using the subject line `Security vulnerability report`.
+
+When reporting, please include:
+
+- A description of the issue and its potential impact
+- Steps to reproduce (if possible)
+- Any relevant configuration or environment details
+
+We will:
+
+- Acknowledge receipt of your report as soon as possible
+- Investigate the issue and assess its impact
+- Work on a fix and coordinate a responsible disclosure timeline
+- Publish a security advisory with details once a fix is available and users have a reasonable opportunity to update
+
+To avoid exposing users to unnecessary risk, please do not include full exploit proofs-of-concept or detailed attack instructions in public issues or pull requests. Use the private reporting channels above instead.