Skip to content

Security: aahoughton/oav

SECURITY.md

Security policy

Reporting a vulnerability

Please do not open a public issue for security-relevant bugs.

Use GitHub's private vulnerability reporting: https://github.com/aahoughton/oav/security/advisories/new

If that isn't available to you, email aah@roarmouse.org with "oav security" in the subject line.

Please include:

  • A description of the issue and its impact.
  • Steps to reproduce, or a minimal proof of concept.
  • The affected version(s) of oav.
  • Any mitigations or workarounds you're aware of.

You should receive an acknowledgement within a few business days. Fixes will be released as patch versions; the advisory will be published via GitHub Security Advisories once a fix is available.

Supported versions

Security fixes are issued for the latest minor release of the current major version line. Older minor versions do not receive backports.

Scope of published packages

The published packages (@aahoughton/oav, @aahoughton/oav-core, @aahoughton/oav-express4, @aahoughton/oav-express5, @aahoughton/oav-fastify) declare framework runtimes (express, fastify) as peer dependencies. Nothing from those frameworks ships inside any of the tarballs, and @aahoughton/oav-core has no runtime dependencies at all.

Three sub-roots in this repo own their own lockfiles for test and benchmark dependencies, isolated from the main workspace:

  • framework-tests/: real-server integration tests for the oav-express4, oav-express5, and oav-fastify adapters.
  • performance/: benchmarks against other JSON Schema / OpenAPI validators.
  • conformance/: upstream JSON Schema and OpenAPI Overlay test-suite harnesses.

Dependabot scans each of those lockfiles. CVEs reported against a package that only appears under one of those directories affect that sub-root's test or benchmark harness; they do not reach the runtime tree that consumers of the npm packages receive. A downstream consumer who sees such a CVE on the security tab is not affected: the package is not present in any published tarball, so transitive resolution does not pick it up.

There aren't any published security advisories