| Version | Supported |
|---|---|
| 1.x.x | ✅ Yes |
| < 1.0 | ❌ No |
Please do not open public issues for security vulnerabilities.
Report vulnerabilities privately via GitHub Security Advisories:
Or email: security@effectorhq.dev (monitored, response within 72 hours)
- Package name and version affected
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fix (optional)
- Acknowledgement within 72 hours
- Assessment within 7 days — we'll confirm scope and severity
- Fix and disclosure — we coordinate a release and CVE if applicable, then publish a security advisory
We follow Responsible Disclosure and will credit researchers who report valid vulnerabilities (unless you prefer to remain anonymous).
All packages under the @effectorhq npm scope and repositories in the effectorHQ GitHub organization are in scope.
Note: effectorHQ packages are static analysis tools — they parse and validate files but do not execute agent tools or make network requests at runtime. The primary threat surface is path traversal and malicious input in parsed files.