lograft is in early beta. Until 1.0.0 ships, all 0.x versions are
"supported" only in the sense that we will accept and triage reports against
the latest published release. We do not backport patches to older 0.x lines.
| Version | Status |
|---|---|
| 0.x | Latest published |
Please do not open public GitHub issues for security problems.
Use either of the following private channels:
- GitHub private security advisories (preferred): https://github.com/nano-step/lograft/security/advisories/new
- Email:
nhoxtvt@gmail.com
When reporting, please include:
- A clear description of the issue and its impact.
- Steps to reproduce, ideally a minimal MCP-client config or fixture.
- The
lograftversion (npx lograft --versionor the npm tag). - Any logs, but redact PII before sending —
lograftis built around log redaction; do the same for your reports.
Best-effort response within 14 calendar days for the duration of beta. We
aim to acknowledge sooner. After 1.0.0 we will publish a stricter SLA.
In scope:
- Code shipped in the
lograftnpm package (bin/,src/, generateddist/). - The release workflow (
.github/workflows/release.yml) and any other CI pipeline that builds or publishes artifacts. - Documentation that, if followed, leads users to insecure configuration.
Out of scope:
- Issues in upstream dependencies (please report those upstream; we will accept a separate ticket once a fix is available).
- Issues caused exclusively by user TOML config (we will still triage but they may be classified as "config error" rather than vulnerability).
- Bugs in
@azure/mcpor other toolslograftinvokes as a subprocess.