The following versions of Pappify are currently supported with security updates:
| Version | Supported |
|---|---|
| 1.0.x | ✅ Yes |
| < 1.0 | ❌ No |
We take security vulnerabilities seriously. If you discover a security issue in Pappify, please report it responsibly.
- Do NOT create a public GitHub issue for security vulnerabilities
- Send an email with details to the maintainers
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Response Time: We aim to respond within 48 hours
- Updates: You'll receive updates on the progress every 7 days
- Resolution: Critical vulnerabilities will be patched within 7 days
- Credit: If you wish, we'll credit you in the release notes
| Outcome | What Happens |
|---|---|
| Accepted | We'll work on a fix and release a security patch |
| Declined | We'll explain why it's not considered a vulnerability |
| Duplicate | We'll let you know it's already being addressed |
When using Pappify:
- Keep your dependencies updated (
npm update) - Never expose your Discord token or Lavalink password
- Use environment variables for sensitive data
- Validate user input before passing to Pappify methods
- Keep your Lavalink server secured and up to date
This security policy covers:
- Pappify core library (
pappifynpm package) - Official plugins (SpotifyPlugin, SaveStatePlugin, AutoDisconnectPlugin)
- Example code in the repository
Out of scope:
- Third-party plugins
- Lavalink server vulnerabilities
- Discord.js vulnerabilities
Thank you for helping keep Pappify secure! 🔒