Thank you for helping keep @bquery/setup and its users safe.

@bquery/setup is a CLI tool (create-bquery) that scaffolds bQuery projects on users' file systems. Security concerns include: unsafe file path handling, template injection in generated files, and execution of untrusted shell commands.

Security fixes are provided for the latest release of @bquery/setup.

Please do not report security vulnerabilities through public GitHub issues.

Report them privately via one of the following:

1. GitHub Security Advisories (preferred): open a private report via the "Report a vulnerability" workflow on this repository.
2. Email: contact support@josunlp.de with the details below.

Please include:

• A description of the vulnerability and its potential impact.
• The affected @bquery/setup version(s).
• A minimal reproduction or step-by-step instructions.
• Any proof-of-concept or logs.

1. Acknowledgement within 5 business days.
2. Triage within 10 business days of acknowledgement.
3. Fix and release — high-severity issues within 30 days of validation.
4. Public advisory once a fix is available, with credit if you wish.

Thank you for helping make @bquery/setup safer for everyone.