| Version | Supported |
|---|---|
| Latest | Yes |
If you discover a security vulnerability in this project, please report it responsibly:
- Do NOT open a public issue.
- Use GitHub's private vulnerability reporting to submit your report.
- Include a description of the vulnerability, steps to reproduce, and potential impact.
- We will acknowledge receipt within 48 hours and provide a timeline for a fix.
- Never commit
.envfiles, API keys, database passwords, or tokens to the repository. - Always use environment variables for sensitive configuration.
- If you accidentally expose a secret, rotate it immediately.
- Use the provided
.env.examplefiles as templates — never copy real credentials into them.
If a secret has been exposed in the Git history:
- Rotate the compromised key/password immediately on the provider's platform.
- Update your local
.envfile with the new value. - Consider using
git filter-repoor BFG Repo-Cleaner to remove the secret from history (this rewrites Git history and requires force push). - Git history cleanup does NOT replace secret rotation — always rotate first.