Please report security issues privately via GitHub's "Report a vulnerability" (Security Advisories) on this repository, or by opening a minimal issue that does not include any secrets, tokens, or personal footage. We'll respond as soon as we reasonably can. This is a volunteer, best-effort project (see the no-warranty note in LICENSE).
- This tool never stores your Ring password. The interactive login exchanges it for
a refresh token, written to
.ring-token.jsonwith0600permissions. - That token grants full access to your Ring account; treat it like a password.
.ring-token.json,.env, andconfig.local.jsonare git-ignored. Never commit them. Rungit statusbefore your first commit to confirm.- Rotated tokens are persisted automatically; the token value is never written to logs.
RING_DEBUG=1enables verbosering-client-apilogging, which may include sensitive request details. Use it only for local troubleshooting, never in shared logs.
npm audit reports high-severity findings that all trace to a single transitive
dependency: the ip package's isPublic SSRF miscategorization
(GHSA-2p57-rm9w-gvfp), pulled in
via werift / werift-ice (the WebRTC NAT-traversal stack) beneath ring-client-api.
- Not in this project's code. Nothing here calls
ipdirectly; it lives in the WebRTC ICE candidate layer. - Do NOT run
npm audit fix --force. Its only "fix" downgradesring-client-apito9.13.0(pre-WebRTC), which breaks streaming entirely. This project intentionally pinsring-client-api@14.3.0. - Cannot be resolved downstream. The current latest
ring-client-apistill depends on the affected versions; it will clear onceweriftupdates upstream. - Low practical risk for this use case. The
ipSSRF is relevant when an attacker controls connection targets and the app relies onip.isPublic()for SSRF protection. Here, the WebRTC session connects to your own Ring account over authenticated, DTLS-encrypted media; there is no untrusted-peer attack surface in a personal recorder.
We track this and will bump ring-client-api when an upstream release clears the advisory.