| Version | Status | Security Updates |
|---|---|---|
| 1.x | Active | Yes |
Only the latest minor of the current major receives security fixes.
This package is a zero-dependency utility library. Its security surface is small:
- No network requests — all functions are pure transforms or static data
- No DOM access — works entirely in JavaScript/Node.js without
windowordocument - Input sanitization via
sanitizeInput(),sanitizeHexColor(),sanitizeFileName() - Prototype-pollution-safe JSON parsing via
safeJSONParse()(reviver drops__proto__,constructor,prototypekeys) - FEN strings are length-capped at 93 characters before any parsing (
MAX_FEN_LENGTH) - SVG output escapes all attribute values to prevent XSS when embedded in HTML
Do not open a public GitHub issue for security vulnerabilities.
- Go to the Security tab
- Click "Report a vulnerability"
- Fill in the private advisory form
To: contact@chessvision.org
Subject: [SECURITY] chess-viewer-utils — <brief description>
- Type of vulnerability (XSS, prototype pollution, ReDoS, etc.)
- Affected version(s) and function(s)
- Steps to reproduce with a minimal code snippet
- Potential impact
- Proof of concept if available
| Stage | Target |
|---|---|
| Initial acknowledgment | ≤ 48 hours |
| Severity assessment | ≤ 5 business days |
| Fix + patch release | ≤ 10 business days for high/critical |
| Public disclosure | After patch is released (coordinated) |
This package has zero runtime dependencies. Development dependencies are monitored by Dependabot with weekly updates.
Run npm audit locally to check for known vulnerabilities in dev deps.