If you discover a security vulnerability in Speyer UI, please report it through GitHub's private vulnerability reporting. This keeps the report confidential until a fix is available.
Please do not open a public issue for security vulnerabilities.
Only the latest release receives security updates.
| Version | Supported |
|---|---|
| Latest | ✓ |
| Older | ✗ |
SUI documentation uses @latest for convenience. In production, pin to a specific version for reproducible builds:
<!-- Development / prototyping -->
<script src="https://cdn.jsdelivr.net/gh/adrianspeyer/speyer-ui@latest/dist/sui.min.js" defer></script>
<!-- Production — pin the version -->
<script src="https://cdn.jsdelivr.net/gh/adrianspeyer/speyer-ui@3.5.0/dist/sui.min.js" defer></script>SUI components use textContent for user-supplied strings. If you build on top of SUI, follow the same pattern — never interpolate untrusted input into innerHTML:
// ✓ Safe
element.textContent = userInput;
// ✗ Dangerous — XSS vector
element.innerHTML = userInput;The SVG sprite is injected into the page via innerHTML. Only load it from origins you control (your own domain or a pinned CDN version):
// ✓ Same-origin or pinned CDN
fetch('./sui-icons.svg')
fetch('https://cdn.jsdelivr.net/gh/adrianspeyer/speyer-ui@3.5.0/dist/sui-icons.min.svg')
// ✗ Never load sprites from untrusted origins