Minigraf is pre-1.0 and under active development. Only the latest published
version on crates.io and the current
main branch receive security fixes. Older versions are not patched.
| Version | Supported |
|---|---|
| latest (0.x) | ✅ |
| older 0.x | ❌ |
Please do not open a public GitHub issue for security vulnerabilities.
Use GitHub's private vulnerability reporting instead:
Include as much of the following as possible:
- A description of the vulnerability and its potential impact
- The affected version(s)
- Steps to reproduce or a minimal proof-of-concept
- Any suggested mitigations, if known
This is a solo-maintained project. I will make a best-effort response:
- Acknowledgement: within 7 days
- Assessment: within 14 days
- Fix or mitigation: timeline depends on severity and complexity
If a fix is warranted, it will be released as a patch version and a GitHub Security Advisory will be published.
Minigraf is an embedded, single-file library with no network surface. Relevant security concerns include:
- Memory safety issues (e.g. unsound
unsafeusage) - Data corruption or loss due to incorrect ACID/WAL behaviour
- Malicious input via the Datalog query parser leading to unexpected behaviour
- File format vulnerabilities that could affect portability or integrity
Out of scope:
- Issues requiring physical access to the machine running the library
- Vulnerabilities in dependencies (report those upstream; we track them via
cargo auditand Dependabot) - Performance issues that do not have a security impact