| Version | Supported |
|---|---|
| 2.1.x | ✅ |
| 2.0.x | ✅ |
| < 2.0 | ❌ |
Please do not open public issues for security vulnerabilities.
Use one of the following channels:
- GitHub Security Advisory (preferred):
- Maintainer contact through repository support channels in SUPPORT.md
Include:
- Clear vulnerability description
- Reproduction steps or proof of concept
- Impact assessment
- Suggested remediation (if available)
- User provider keys are stored client-side in browser storage.
- No intentional server-side persistence of user prompts/outputs.
- HTTPS-based provider communication is expected for deployments.
- Dependency updates are monitored via Dependabot and CI checks.
- The corpus (
data/papers/papers.jsonl) contains publicly available academic abstracts from OpenAlex. No PII or sensitive data is included. public/corpus-style-model.jsonis intentionally published in the public directory — it is needed for client-side style model loading and contains only aggregated statistical distributions, not raw text.
In-scope classes of issues include:
- XSS risks in rendered content paths
- API key exposure risks
- Dependency vulnerabilities with exploitable impact
- Privilege or secret leakage in CI/CD configuration
- Initial triage acknowledgement: within 5 business days
- Mitigation plan for valid findings: as soon as practical based on severity
- Public disclosure: after remediation is available