StrictPath CLI is currently prepared for a public beta release.

Do not report security vulnerabilities through public GitHub issues.

Use GitHub private vulnerability reporting on this repository. If unavailable, contact the maintainers through the security contact listed on the NoPanic profile.

• Clear vulnerability description.
• Impact and severity.
• Reproduction steps.
• Minimal proof of concept when possible.
• CLI version, Node.js version, package manager version and operating system.
• Generated project template and command used.

• Initial acknowledgement: 72 hours.
• Critical vulnerabilities: target fix or mitigation within 7 days.
• High vulnerabilities: target fix or mitigation within 30 days.
• Medium/low vulnerabilities: scheduled in normal release planning.

In scope:

• CLI command execution safety.
• Template path traversal and file overwrite behavior.
• Generated package dependency safety.
• Secret leakage in generated artifacts.
• Supply-chain and publish packaging issues.

Out of scope:

• Vulnerabilities introduced by user-authored business logic after generation.
• Misconfigured infrastructure not produced by this CLI.
• Unsupported private/internal templates.