Only the latest version published on pub.dev receives security fixes.
Please do not report security vulnerabilities through public GitHub issues.
Instead, use GitHub's private vulnerability reporting for this repository:
- Go to the Security tab
- Click "Report a vulnerability"
- Describe the issue, its impact, and reproduction steps
Your report stays private between you and the maintainer while it is being investigated and fixed. You will get a response as soon as possible, and a coordinated disclosure once a fix is released.
This SDK forwards API keys to the providers configured by the application (OpenAI, Anthropic, Google AI, or a local Ollama server). Keys are never sent anywhere else, logged, or persisted by the SDK. Issues in the provider APIs themselves should be reported to the respective vendors.