We take the security of the UI Library seriously. If you discover a security vulnerability, please report it responsibly.

DO NOT open a public GitHub issue for security vulnerabilities.

Instead, please report security issues to:

• Email: security@your-org.com
• Security Advisory: Use GitHub's Security Advisories

Please include the following information:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if available)
• Your contact information

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Timeline: Depends on severity (critical issues within 7-14 days)

• Audit regularly:

  npm audit
  npm audit fix

• Use Dependabot: Automatically configured in .github/dependabot.yml

• Review dependency updates: Don't blindly accept all updates

• Pin critical dependencies: Consider exact versions for security-critical packages

• Enable 2FA: Required for all maintainers

  npm profile enable-2fa auth-and-writes

• Use Provenance: Already configured in package.json

  {
    "publishConfig": {
      "provenance": true
    }
  }

• Publish from CI/CD: Use GitHub Actions instead of local machines

• Review before publish:

  npm pack --dry-run

• TypeScript strict mode: Catch potential bugs at compile time
• ESLint rules: Configured with security-focused rules
• Input validation: Always validate and sanitize user inputs
• XSS Prevention: React's JSX escapes by default, but be cautious with dangerouslySetInnerHTML

• Limit npm publishers: Only trusted maintainers
• GitHub branch protection: Required reviews on main
• Secrets management: Use GitHub Secrets, never commit credentials

• Verify package integrity:

  npm install @your-org/ui-library --check-integrity

• Check provenance:

  npm view @your-org/ui-library --json

• Use lock files: Commit package-lock.json or yarn.lock

• Review changelogs: Before updating versions
• Test before deploying: Don't update directly in production
• Use version ranges carefully: Consider ~ (patch) or ^ (minor) updates

{
  "dependencies": {
    "@your-org/ui-library": "^1.2.0" // Allows 1.x.x updates
  }
}

If using CSP, allow styles from the library:

<meta
  http-equiv="Content-Security-Policy"
  content="style-src 'self' 'unsafe-inline'"
/>

Note: 'unsafe-inline' is needed for Tailwind CSS. Consider using a build process to extract CSS.

• Focus Trap: Prevents keyboard navigation outside modal
• Escape Key: Always provides a way to close
• Body Scroll Lock: Prevents background scrolling

• Type Validation: Use appropriate type attribute
• Sanitization: Library does NOT sanitize input (your responsibility)
• Error Messages: Don't expose sensitive information in error messages

• className Prop: Be cautious with user-provided classNames
• Style Props: Not supported to prevent inline style injection

Run regular security audits:

# Check for vulnerabilities
npm audit

# Fix fixable issues
npm audit fix

# Generate audit report
npm audit --json > audit-report.json

The CI pipeline runs npm audit on every push. Check the Actions tab for results.

1. Day 0: Vulnerability reported
2. Day 1-2: Initial triage and response
3. Day 3-7: Investigation and fix development
4. Day 7-14: Testing and review
5. Day 14: Public disclosure and patch release

Timeline may vary based on severity and complexity.

We recognize security researchers who responsibly disclose vulnerabilities:

Subscribe to security updates:

• GitHub Watch: Watch repository for security advisories
• npm Notifications: Enable email notifications
• RSS Feed: Subscribe to releases

This library aims to comply with:

• WCAG 2.1 Level AA: Accessibility standards
• OWASP Top 10: Web application security risks
• npm Security Best Practices: Package security guidelines

• npm Security Documentation
• GitHub Security Features
• OWASP React Security
• Snyk Vulnerability Database

For security-related questions (non-vulnerabilities):

• Open a GitHub Discussion
• Email: security@your-org.com

Thank you for helping keep the UI Library secure!