This project produces standalone binaries of audiobookshelf from upstream source. Two kinds of issues belong here:
- Packaging vulnerabilities — anything that makes our binary less safe than upstream Docker (e.g. shipped library is older than declared, build pipeline tampering, supply-chain weakness in the workflow).
- Build-pipeline vulnerabilities — issues in this repo's GitHub Actions workflows, scripts, or release process.
Vulnerabilities in audiobookshelf itself (auth bypass, RCE, XSS in the web UI, etc.) belong upstream — please report at advplyr/audiobookshelf.
Please do not open a public issue. Use one of:
- GitHub private vulnerability reports — open at https://github.com/abhinandval/audiobookshelf-binary/security/advisories/new.
- Email the maintainer (address in the GitHub profile of @abhinandval).
Include:
- Affected release version(s)
- Affected target(s) (linux-arm64, etc.)
- Reproduction steps
- Impact assessment
- Your suggested fix, if any
- Acknowledgement: within 5 business days
- Triage decision: within 14 days
- Fix and release: depends on severity; critical issues prioritised
Every release ships SHA256 checksums. SLSA provenance attestations are generated from the build workflow and can be verified with:
gh attestation verify <file> --owner abhinandval