We actively support and patch security vulnerabilities for the following versions of the project:
| Version | Supported |
|---|---|
| > 1.x | ✅ Fully supported |
| < 1.0 or alpha or beta | ❌ Unsupported |
We take security issues seriously. If you discover a vulnerability, please follow the steps below to report it responsibly:
- Please avoid publicly disclosing the vulnerability on GitHub, social media, or other public forums until we have addressed it.
- Send an email to zhabskiydev@gmail.com with the following details:
- A concise description of the vulnerability.
- Steps to reproduce the issue, if applicable.
- Any potential impact the vulnerability may cause.
- Optionally, your name and any additional information.
- We will confirm receipt of your report within one week and provide regular updates on the status of the investigation and fix.
While we aim to make this library as secure as possible, there are specific nuances users should consider:
-
In-Memory Storage of Request Data
- Sensitive information, such as request headers or payloads, may be temporarily stored in memory.
- Mitigation: Avoid including credentials or sensitive data in request payloads when possible, or use encryption for sensitive data.
-
Request Retry Behavior
- Retried requests might unintentionally duplicate actions (e.g., creating resources) if the server does not support idempotency.
- Mitigation: Use the
Idempotency-Keyheader for POST, PUT, and DELETE requests, especially when working with critical resources.
-
No Built-In Encryption
- The library does not encrypt stored data or requests by default.
- Mitigation: Users can implement custom encryption for sensitive data before sending or storing it.
-
Third-Party Dependencies
- This library relies on third-party dependencies, such as Axios, which may introduce vulnerabilities.
- Mitigation: Regularly check for vulnerabilities using tools like
npm auditand update dependencies promptly.
- Request Data:
- Temporarily stored in memory for retries and may include sensitive information (headers, payloads).
- Not written to disk or persisted outside runtime memory.
- User Responsibility:
- Ensure that sensitive data (e.g., API keys, tokens) is secured when included in requests.
- Use HTTPS to encrypt data in transit.
To maintain secure usage of this library:
- Use the Latest Version:
- Always use the most recent version of the library, which includes the latest security patches.
- Secure Your Environment:
- Run the library in a trusted, secure environment. Avoid execution in untrusted environments without proper precautions.
- Monitor Dependencies:
- Use tools like
npm auditorSnykto check for vulnerabilities in dependencies.
- Use tools like
- Implement Idempotency:
- Use
Idempotency-Keyheaders for POST, PUT, and DELETE requests to ensure safe retries.
- Use
- Encryption:
- Encrypt sensitive data in request payloads, especially when using retryable storage.
-
Validation:
- Once a vulnerability is reported, we validate and reproduce the issue.
- Assess the severity based on its potential impact.
-
Fix Development:
- Security patches are developed, prioritized, and thoroughly tested.
-
Release Notification:
- We release patched versions and disclose vulnerability details responsibly, with acknowledgment for the reporter if agreed upon.
- Dependency Monitoring:
- Dependencies are regularly audited for vulnerabilities, and patches are applied as needed.
- Internal Security Audits:
- The codebase is reviewed periodically for potential security flaws.
- Community Reports:
- We encourage community members to report vulnerabilities.
- Scope:
- This library provides retry functionality for HTTP requests and does not include features like data encryption or token management by default.
- Limitations:
- Security of the underlying transport (e.g., HTTPS) is the user's responsibility.
- Server-side behavior (e.g., handling of retries or idempotency) is outside the library's control.
We appreciate your efforts to responsibly disclose vulnerabilities and contribute to the security of this project. Together, we can ensure a safer and more reliable ecosystem!