Only the main branch is supported. There are no version releases yet.

Email the maintainer via the GitHub profile, or use GitHub's private vulnerability reporting.

• Anyone with a URL can view the recording. This is by design for v1. If you need privacy, deploy behind a reverse-proxy auth layer or implement the per-recording token feature.
• Upload size cap is 200 MB. Beyond that, nginx / Cloudflare in front of the app will refuse the upload before Next.js sees it (set client_max_body_size 200M; to match).
• Path traversal in storage. lib/storage.ts::pathFor() rejects .., /, and non-alphanumeric ids/extensions. Tested.
• MIME inference. extFromMime recognizes only known video/audio MIME types and falls back to .bin. Don't let users name the extension directly.
• No CSRF protection on upload. The endpoint accepts cross-origin form posts. In the default config this is fine because there's no auth; for an authenticated deployment, add CSRF tokens to your reverse-proxy or front-end.

If you find a vulnerability outside this list, please report it.