Security updates are handled on the latest main branch while the project is pre-1.0.
Please open a private security advisory on GitHub if available. If not, open an issue with minimal detail and ask for a private contact path.
Do not include live webhook URLs, tokens, secrets, private memo content, or repository credentials in public issues.
~/.memo/config.toml may contain webhook URLs and HMAC secrets. The default memo data .gitignore ignores this file.
Before publishing a memo data repository, check:
git -C ~/.memo status --short
git -C ~/.memo grep -n "secret\\|token\\|password" || trueWebhook queue files under events/ are runtime state and are ignored by default.