AFFECTED VERSIONS: v1.3.x Beta (unreleased)
SEVERITY: Critical
STATUS: v1.3 will NEVER be released as originally planned
Version 1.3.x Beta contains critical cryptography vulnerabilities in the encryption implementation used by Teapot and Teacup gateway features. These vulnerabilities affect the confidentiality and integrity of encrypted data.
IF YOU ARE USING v1.3.x Beta with Teapot/Teacup Gateway:
- π STOP using Teapot/Teacup gateway immediately
- π Upgrade to v2.0.0 or later (security fixes included)
- π Re-encrypt all sensitive data using the new secure implementation
- π Review logs for potential unauthorized access
- β v1.3.x Beta - Teapot/Teacup gateway encryption (CRITICAL)
β οΈ v1.2.x Production - No cryptography issues, but deprecated (see below)- β v2.0.0+ - Fully patched with AES-256-GCM + HKDF
v1.2.x Production users: Your version does NOT have cryptography vulnerabilities. However, v1.2.x is deprecated due to architectural limitations and dependency issues (see Supported Versions below).
All our code is constantly reviewed by Snyk to provide better vulnerability response and tracking actions via Dependabot or team members.
| Version | Supported | Security Status | Notes |
|---|---|---|---|
| 2.0.x | β Yes | π’ Secure | Recommended - Full security patches, strict TypeScript |
| 1.3.x Beta | β No | π΄ CRITICAL | DO NOT USE - Critical crypto vulnerabilities |
| 1.2.x | π‘ No crypto issues | Deprecated due to InversifyJS 6.x EOL & architecture | |
| 1.0.x - 1.1.x | β No | π΄ Unsupported | No security updates, upgrade immediately |
Production version v1.2.x does NOT have cryptography issues but is officially deprecated as of January 27, 2026.
Why is v1.2.x deprecated?
- π¦ Depends on InversifyJS v6.x (now deprecated and unmaintained)
- ποΈ Architectural limitations prevent modern feature support
- π§ Major package dependencies require breaking changes
- π Cannot receive future security patches without breaking changes
- β‘ Performance and type safety improvements only in v2.0+
Migration Path:
- v1.2.x users should migrate to v2.0.0+ as soon as feasible
- See MIGRATION_GUIDE_v2.md for step-by-step instructions
- v1.2.x will receive NO updates after January 27, 2026
We take security seriously. If you discover a vulnerability in Expressive Tea or have security concerns, please report it responsibly.
For security vulnerabilities:
- π§ Email: security@expressive-tea.io
- π Include: Affected versions, steps to reproduce, and potential impact
- β±οΈ Response time: We aim to respond within 48 hours
For compliance issues:
- π§ Email: compliance@expressive-tea.io
- Acknowledgment - We'll confirm receipt within 48 hours
- Investigation - We'll investigate and validate the report
- Fix & Disclosure - We'll develop a fix and coordinate disclosure
- Credit - Security researchers will be credited (if desired)
When using Expressive Tea v2.0+:
β DO:
- Keep dependencies up to date (
npm audit,yarn audit) - Use TypeScript strict mode for better type safety
- Follow the OWASP Top 10 guidelines
- Validate and sanitize all user inputs
- Use environment variables for sensitive configuration
- Enable HTTPS in production
- Implement proper authentication and authorization
β DON'T:
- Use v1.3.x Beta (critical vulnerabilities)
- Store secrets in code or version control
- Disable security features without understanding the risk
- Trust user input without validation
- OWASP Node.js Security Cheat Sheet
- Express Security Best Practices
- Migration Guide - Upgrading from v1.x to v2.0
Need help? Contact us at support@expressive-tea.io