Skip to content

Security: uproid/instancer

Security

SECURITY.md

Security Policy

Supported Versions

We actively support the following versions of Instancer with security updates:

Version Supported
1.x.x
< 1.0

Reporting a Vulnerability

We take the security of Instancer seriously. If you discover a security vulnerability, please follow these steps:

How to Report

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via email to:

Email: info@uproid.com

What to Include

Please include the following information in your report:

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact of the vulnerability
  • Suggested fix (if you have one)
  • Your contact information for follow-up

Response Timeline

  • Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
  • Initial Assessment: We will provide an initial assessment within 5 business days
  • Fix Timeline: We aim to release a fix within 30 days for critical vulnerabilities
  • Disclosure: We will coordinate with you on the disclosure timeline

What Happens Next

  1. We will investigate the reported vulnerability
  2. We will work on a fix and test it thoroughly
  3. We will release a security patch
  4. We will publicly disclose the vulnerability (with credit to you, if desired)
  5. We will update this security policy if needed

Security Best Practices

When using Instancer in your applications:

1. Don't Register Sensitive Data

// ❌ Bad - Don't do this
Instancer.register<ApiKey>(() => ApiKey('secret-key-123'));

// ✅ Good - Use environment variables or secure storage
Instancer.register<ApiClient>(() => ApiClient(
  apiKey: Platform.environment['API_KEY']!,
));

2. Validate Factory Outputs

// ✅ Validate data from factories
Instancer.register<Config>(() {
  final config = Config.fromEnvironment();
  if (!config.isValid()) {
    throw StateError('Invalid configuration');
  }
  return config;
});

3. Clean Up in Tests

// ✅ Always clear registrations after tests
tearDown(() {
  Instancer.clear();
});

4. Be Careful with Dependencies

//  Be aware that factories can create new instances
// This could lead to resource leaks if not managed properly
Instancer.register<Database>(() => Database.connect());

//  Consider using a singleton pattern for resources
Database? _dbInstance;
Instancer.register<Database>(() {
  _dbInstance ??= Database.connect();
  return _dbInstance!;
});

Known Security Considerations

Type Safety

Instancer relies on Dart's type system. Ensure you're using the correct types when registering and creating instances to avoid runtime errors.

Factory Function Security

Factory functions registered with Instancer are executed when create() is called. Ensure your factory functions:

  • Don't execute untrusted code
  • Don't access sensitive data unnecessarily
  • Handle errors appropriately
  • Don't cause unintended side effects

Public Disclosure

After a security issue has been fixed, we will:

  1. Release a security advisory on GitHub
  2. Update the CHANGELOG with security notes
  3. Credit the reporter (unless they prefer to remain anonymous)
  4. Document any breaking changes if applicable

Security Updates

To stay informed about security updates:

Contact

For security concerns, please contact:

Email: info@uproid.com
GitHub: @uproid

Thank you for helping keep Instancer and its users safe!

There aren’t any published security advisories