Security fixes target the latest version on the main branch.
Please report vulnerabilities privately by contacting the maintainers through GitHub. Do not open a public issue for security reports.
Include:
- Affected feature or URL.
- Reproduction steps.
- Expected and actual impact.
- Any suggested fix, if available.
DevKit runs entirely in the browser and should not require users to submit data to a backend. Treat any accidental credential exposure, unsafe parsing behavior, dependency risk, or cross-site scripting issue as security-sensitive.