Thank you for helping keep @bquery/ui and its users safe.
Security fixes are provided for the latest release of @bquery/ui.
| Version | Supported |
|---|---|
| 1.14.x | ✅ |
| < 1.14.0 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Report them privately via one of the following:
- GitHub Security Advisories (preferred): open a private report via the "Report a vulnerability" workflow on this repository.
- Email: contact support@josunlp.de with the details below.
Please include:
- A description of the vulnerability and its impact.
- The affected @bquery/ui version(s) and component(s).
- A minimal reproduction: code snippet or step-by-step instructions.
- Any proof-of-concept, stack traces, or logs.
- Acknowledgement within 5 business days.
- Triage within 10 business days of acknowledgement.
- Fix and release — high-severity issues within 30 days of validation.
- Public advisory once a fix is available, with credit if you wish.
In scope:
- Source code in this repository (
src/**) and the published@bquery/uipackage on npm. - Component rendering, slot injection, and sanitization behaviour.
- Design token and theme APIs that could be misused to inject unsafe content.
Out of scope:
- Vulnerabilities in third-party applications that merely consume @bquery/ui components.
- Issues that require an already-compromised environment.
- Theoretical issues without a demonstrable security impact.
Thank you for helping make @bquery/ui safer for everyone.