We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
We take the security of article-extractor seriously. If you believe you have found a security vulnerability, please report it to us as described below.
- Open a public GitHub issue for security vulnerabilities
- Disclose the vulnerability publicly before we've had a chance to fix it
- Use GitHub's private vulnerability reporting: Go to the Security tab of this repository and click "Report a vulnerability"
- Or email us directly: Send details to pankaj28843@gmail.com with the subject line "SECURITY: article-extractor"
- Type of issue (e.g., XSS, injection, denial of service)
- Full paths of source file(s) related to the issue
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
- Updates: We will keep you informed of the progress towards a fix
- Disclosure: Once the issue is resolved, we will publicly disclose the vulnerability in our release notes
- Credit: We will credit you for the discovery (unless you prefer to remain anonymous)
This project employs several security measures:
- CodeQL Analysis: Automated security scanning on every push and PR
- Dependabot: Automated dependency updates for security patches
- Ruff Security Rules: flake8-bandit security linting rules enabled
- XSS-safe output: HTML sanitization via JustHTML by default
- No code execution: No eval() or exec() calls on user input
- Minimal dependencies: Reduced attack surface
- Non-root user: Docker images run as non-root by default
- Minimal base image: Using slim Python images
- Multi-platform support: Verified builds for amd64 and arm64
The library includes built-in security features:
safe_markdown=True(default) ensures XSS-safe Markdown output- HTML sanitization removes potentially dangerous elements
- No network requests unless explicitly using async fetchers
We use GitHub's Dependabot to:
- Automatically create PRs for security updates
- Keep all dependencies up to date
- Monitor for known vulnerabilities in the dependency tree
Security updates will be released as:
- Patch versions (e.g., 0.1.1 → 0.1.2) for backward-compatible fixes
- Published to PyPI immediately after validation
- Announced in GitHub releases with CVE references if applicable