Vivary is pre-1.0 and ships several independently versioned packages. Security fixes target the current public release line:
| Package | Supported line |
|---|---|
create-vivary / @vivary/create |
0.2.x |
vivary-tropo |
0.2.x |
vivary-ozone |
0.1.x |
vivary-exo |
0.2.x |
Older versions may receive a note in the changelog, but fixes are expected to land in the current line.
Use GitHub private vulnerability reporting for this repository when available. If that is not available to you, contact the maintainer through the repository owner profile and avoid posting exploit details in a public issue.
Please include:
- affected package and version
- operating system and install method
- minimal reproduction steps
- expected impact
- whether any secret, private file, or network boundary is involved
Vivary is a local Markdown workspace scaffold and CLI suite. Security-sensitive areas
include package publishing, dependency installation, generated .gitignore privacy
boundaries, active-context sidecars, and any workflow that pushes, opens PRs, or
publishes packages.
The current package set contains the June 23 security-hardening batch:
- scaffold writes, storage config writes, and stale generated cleanup refusing symlinked or out-of-workspace destination paths
create-vivary doctorvalidating active.gitignorerules instead of accepting comments, negations, or substring matches for private files- generated workspaces keeping
USER.md,MEMORY.md,memory/*, andheartbeat-reports/*private while preserving.gitkeepplaceholders tropo view --outandexo claimreplacing workspace files without mutating hard-linked targets outside the workspace