The following versions of Hivemind MCP Server are currently supported with security updates:

If you discover a security vulnerability in Hivemind, please report it responsibly:

1. Do NOT open a public GitHub issue for security vulnerabilities
2. Email: Send details to the repository maintainers via GitHub private vulnerability reporting
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: Within 48 hours of your report
• Initial Assessment: Within 7 days
• Resolution Timeline: Depends on severity
  • Critical: 24-48 hours
  • High: 7 days
  • Medium: 30 days
  • Low: Next release cycle

Hivemind is designed to be local-first:

• All data stays on your machine by default
• No telemetry or data collection
• Network connections only to configured services (ComfyUI, if enabled)
• MCP protocol uses local stdio transport by default

1. Keep Hivemind updated to the latest version
2. Protect your vault path - don't expose via network without authentication
3. Review ComfyUI settings if enabled - ensure endpoint is localhost
4. Use environment variables for sensitive configuration

We actively monitor dependencies for vulnerabilities using:

• GitHub Dependabot (automatic PRs for security updates)
• npm audit (run during CI/CD)
• CodeQL analysis (static security scanning)

Status: Monitoring
Severity: High
Affected: Development dependencies only
Risk Assessment: Low - Not exploitable in our context

Details:

• Vulnerability requires extracting malicious tar files
• Only present in @semantic-release/npm → bundled npm → tar
• semantic-release is a dev dependency used only in CI/CD for publishing
• The tool doesn't extract user-provided tar files
• Cannot be fixed: tar is bundled inside npm, which is bundled inside @semantic-release/npm
• npm overrides don't work on bundled dependencies

Mitigation:

• CI/CD runs in isolated GitHub Actions environment
• No untrusted tar files are extracted during releases
• Will be automatically resolved when @semantic-release/npm updates their bundled npm dependency

Monitoring: Tracking upstream issue for when a patched version becomes available.

Security-related changes are noted in CHANGELOG.md with the security type.