Security fixes are applied to the latest minor release. Older versions are not patched — upgrade to receive fixes.
| Version | Supported |
|---|---|
| latest | ✅ |
| < latest | ❌ |
If you discover a security issue, please do not open a public GitHub issue. Instead:
- Open a private security advisory on this repository, or
- Email the maintainer (see
Cargo.tomlfor contact).
Include:
- A description of the issue and its impact
- Steps to reproduce
- Affected versions
- Any proof-of-concept code, if applicable
You can expect an initial acknowledgement within 7 days. Confirmed issues will be triaged and patched as quickly as possible; coordinated disclosure timelines will be agreed with the reporter.
codemap is a static-analysis binary. It does not make network requests, does not execute the code it analyzes, and does not read or modify files outside the directory passed via --dir. Most security issues will involve:
- Crash / DoS via malformed input (PE/ELF/Mach-O/WASM/JAR parsing, malformed source files)
- Memory-safety issues in the disassembler, AST walkers, or binary-format parsers
- Path-traversal or symlink-following bugs during repository walks
- Sandbox escapes if codemap is invoked from a sandboxed agent context
Bugs in third-party dependencies should be reported upstream; we will pull the fix once it's available.