We release patches for security vulnerabilities. Which versions are currently supported:
| Version | Supported |
|---|---|
| 1.x.x | β |
| < 1.0 | β |
When using Debugg in production, follow these security best practices:
Debugg automatically redacts common sensitive fields, but you should configure additional fields:
import { debugg } from 'debugg';
debugg.updateEnhancedConfig({
security: {
redactFields: ['password', 'token', 'secret', 'apiKey', 'creditCard', 'ssn'],
maxContextSize: 1024 * 1024, // 1MB
enableRateLimiting: true,
maxErrorsPerMinute: 100,
},
});When using the webhook reporter:
import { createWebhookReporter } from 'debugg';
debugg.addReporter(
createWebhookReporter('https://your-domain.com/errors', {
headers: {
'Authorization': 'Bearer YOUR_SECRET_TOKEN',
'X-API-Key': 'YOUR_API_KEY',
},
retries: 3,
timeout: 5000,
})
);const config = {
serviceName: 'my-app',
environment: process.env.NODE_ENV,
logToConsole: process.env.NODE_ENV === 'development',
includeStackTrace: process.env.NODE_ENV !== 'production',
maxContextDepth: process.env.NODE_ENV === 'production' ? 3 : 10,
};Enable rate limiting to prevent error flooding:
debugg.updateEnhancedConfig({
security: {
enableRateLimiting: true,
maxErrorsPerMinute: 100,
},
});We take the security of Debugg seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via email at bharath@debugg.example.com with the following information:
- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the issue
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Initial Response: You will receive an acknowledgment within 48 hours
- Status Update: We will send you a more detailed response within 5 business days
- Resolution Timeline: We aim to resolve critical issues within 30 days
- Confirm the problem and determine the affected versions
- Audit code to find any potential similar problems
- Prepare fixes for all supported versions
- Release new versions and publish security advisories
Security advisories will be published on our GitHub repository and website. To receive notifications about security updates:
- Watch the repository on GitHub
- Subscribe to our security mailing list
- Monitor npm audit reports
When contributing to Debugg, follow these security guidelines:
Always validate and sanitize user input:
// Good - validate configuration
if (!webhookUrl || typeof webhookUrl !== 'string') {
throw new Error('Webhook URL is required and must be a string');
}
try {
const url = new URL(webhookUrl);
if (!['http:', 'https:'].includes(url.protocol)) {
throw new Error('Webhook URL must use http or https protocol');
}
} catch {
throw new Error('Invalid webhook URL format');
}Never expose sensitive information in error messages:
// Bad - exposes internal details
throw new Error(`Database connection failed: ${dbCredentials.host}:${dbCredentials.port}`);
// Good - generic error message
throw new Error('Database connection failed. Please check your configuration.');Keep dependencies up to date and monitor for security vulnerabilities:
# Check for outdated packages
bun outdated
# Check for vulnerabilities
bun audit
# Update packages
bun updateWe use the following security tools:
- ESLint: Static code analysis
- npm audit / bun audit: Dependency vulnerability scanning
- GitHub Security Alerts: Automated vulnerability detection
We would like to thank the following for their contributions to our security:
- All security researchers who responsibly disclose vulnerabilities
- Our community members who help improve our security
- The open-source security community
Thank you for helping keep Debugg and our users safe!