The most recently released minor version is supported with security fixes. Older versions may receive fixes at maintainers' discretion.
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
If you believe you have found a security vulnerability in @rekurt/openkline-*,
please do not file a public issue. Instead, report it privately via
GitHub's security advisory form,
or email the maintainers at the address listed on the GitHub profile.
Please include:
- A description of the issue and its impact
- Steps to reproduce (proof-of-concept code is welcome)
- Affected version(s)
- Any mitigation you've identified
We aim to acknowledge reports within 72 hours and provide a remediation plan within 7 days for confirmed issues.
In scope:
- Code injection via untrusted candle data, indicator config, drawing
snapshots, or
loadStateinput - Prototype pollution
- Denial-of-service via crafted data feeds (e.g., RAF storm, unbounded memory growth)
- XSS via theme tokens, legend text, or any DOM-touching surface
Out of scope:
- Vulnerabilities in dependencies (please report to upstream)
- Issues that require the attacker to already control the user's browser or the host application's source code