Skip to content

Latest commit

 

History

History
54 lines (35 loc) · 1.73 KB

File metadata and controls

54 lines (35 loc) · 1.73 KB

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability in Speyer UI, please report it through GitHub's private vulnerability reporting. This keeps the report confidential until a fix is available.

Please do not open a public issue for security vulnerabilities.

Supported Versions

Only the latest release receives security updates.

Version Supported
Latest
Older

Security Guidance for Consumers

Pin versions in production

SUI documentation uses @latest for convenience. In production, pin to a specific version for reproducible builds:

<!-- Development / prototyping -->
<script src="https://cdn.jsdelivr.net/gh/adrianspeyer/speyer-ui@latest/dist/sui.min.js" defer></script>

<!-- Production — pin the version -->
<script src="https://cdn.jsdelivr.net/gh/adrianspeyer/speyer-ui@3.5.0/dist/sui.min.js" defer></script>

Use textContent for untrusted data

SUI components use textContent for user-supplied strings. If you build on top of SUI, follow the same pattern — never interpolate untrusted input into innerHTML:

// ✓ Safe
element.textContent = userInput;

// ✗ Dangerous — XSS vector
element.innerHTML = userInput;

Load the icon sprite from trusted origins only

The SVG sprite is injected into the page via innerHTML. Only load it from origins you control (your own domain or a pinned CDN version):

// ✓ Same-origin or pinned CDN
fetch('./sui-icons.svg')
fetch('https://cdn.jsdelivr.net/gh/adrianspeyer/speyer-ui@3.5.0/dist/sui-icons.min.svg')

// ✗ Never load sprites from untrusted origins