WebSSH2 Client implements comprehensive security measures to protect against supply chain attacks, including the NPM package hijacking incident reported in September 2025.

✅ VERIFIED SAFE - This repository does not contain compromised packages from the September 2025 NPM supply chain attack.

• Policy: 2-week quarantine for all newly released package versions
• Process: New versions only adopted after community vetting period
• Build Tools: Special attention to Vite plugins and build dependencies
• Exception: Critical security patches with CVE advisories

Local scanning:

# Run security audit (npm audit + Trivy filesystem scan)
npm run security:audit

GitHub Actions CI pipeline (runs on every pull request):

• CSP Headers: Content Security Policy validation for built assets
• SRI Hash Generation: Subresource Integrity for distributed files
• No Dynamic Loading: Static dependency analysis only
• Minimal Runtime: Reduced client-side dependencies

• Pre-build: npm ci --ignore-scripts prevents lifecycle script attacks
• Post-build: Trivy scans final artifacts for vulnerabilities
• Bundle analysis: npm run analyze for security review of bundled code
• CI enforcement: All GitHub Actions pinned to commit SHAs

• Dependencies use caret (^) ranges with 2-week adoption delay for new releases
• package-lock.json ensures reproducible builds with exact versions
• Critical packages are reviewed before any version updates

1. Dependency Verification: All build tools verified before use
2. Vite Configuration: Security-focused build settings
3. Hot Module Replacement: Secure local development only

1. Artifact Scanning: Trivy scan of final bundle
2. Integrity Verification: SRI hashes for all assets
3. CSP Validation: Content Security Policy compliance
4. Bundle Analysis: Security review of dependencies in final bundle

Please report security vulnerabilities to:

• GitHub: Use the Security Advisories feature to privately report vulnerabilities

• Acknowledgment: Within 24 hours
• Initial Assessment: Within 72 hours
• Fix Development: Within 1 week for critical issues
• Public Disclosure: After fix is deployed and users have time to update

1. Never commit secrets - Use environment variables
2. Pin dependency versions - Avoid automatic updates
3. Review build tool updates - Wait 2 weeks for new releases
4. Run security audit - npm run security:audit before commits
5. Verify bundle integrity - Check final build outputs

1. Community vetting period (2 weeks minimum)
2. Security audit with Socket.dev and Trivy
3. Build tool compatibility verification
4. Client-side security impact assessment
5. Approval by security team

1. Review change logs for security implications
2. Wait 2 weeks after release (except security patches)
3. Test in isolated build environment
4. Verify final bundle security before merging

Every pull request runs the following security checks:

# 1. npm audit - checks for known vulnerabilities
npm audit --audit-level=high

# 2. Trivy filesystem scan - CRITICAL/HIGH severity
aquasecurity/trivy-action@v0.33.1
  scan-type: 'fs'
  severity: 'CRITICAL,HIGH'
  ignore-unfixed: true

# 3. GitHub Dependency Review - flags risky new dependencies
actions/dependency-review-action@v4
  fail-on-severity: high

Results are uploaded to GitHub Security tab via SARIF format.

Trivy:

# Install Trivy (macOS)
brew install trivy

# Run combined audit (npm + Trivy)
npm run security:audit

Bundle Analysis:

# Build with security analysis
npm run build
# Analyze bundle for security issues
npm run analyze

• NPM Supply Chain Attack - September 2025
• Socket.dev Security Platform
• Trivy Security Scanner
• Vite Security Guidelines
• Web Security Best Practices

As of 2026-01-27, we evaluated reported vulnerabilities in solid-js and its seroval dependency. WebSSH2 Client is NOT affected by these issues.

The seroval package is used by SolidJS for server-side rendering serialization. WebSSH2 Client:

• Uses seroval 1.5.0, which is above the patched version (1.4.1)
• Does not use SSR - this is a client-side SPA only
• Uses Socket.IO native JSON serialization for all client-server communication

This vulnerability affects the ssr function in SolidJS, which fails to sanitize JSX expressions in JSX fragments during server-side rendering. WebSSH2 Client:

• Uses solid-js 1.9.11, which is above the patched version (1.9.4)
• Is a plain SolidJS SPA - no Solid Start, no server functions, no SSR
• Does not use innerHTML or unsafe HTML patterns anywhere in the codebase
• All user input is rendered via SolidJS reactive primitives which auto-escape

# Check seroval version
npm ls seroval

# Verify no innerHTML usage
grep -r "innerHTML" client/src/

# Verify no Solid Start dependency
grep -E "solid-start|@solidjs/start" package.json

• GHSA-3rxj-6cgf-8cfw - Seroval RCE
• CVE-2025-27109 - SolidJS XSS
• SolidJS XSS Research

As of 2026-01-27, automated checks for Shai-hulud 2.0 indicators of compromise (IoCs) found no evidence of compromise in this repository.

The scanner performed the following checks:

• Searched for risky npm lifecycle scripts (preinstall, postinstall)
• Checked for known Shai-hulud 2.0 payload files (setup_bun.js, bun_environment.js)
• Inspected GitHub Actions workflows for discussion-triggered backdoor patterns and secret-dumping jobs
• Searched for known self-hosted runner and Docker breakout markers
• Checked for leaked cloud credentials and unsafe npm token usage
• Compared dependencies against a supplied list of known compromised npm packages (if provided)

No matches were found. This is not a guarantee of safety, but it indicates that this project does not currently exhibit known Shai-hulud 2.0 patterns.

Regardless of current status, this project aims to reduce supply chain risk through the following practices:

• Dependencies are pinned, with automated checks to avoid adopting very recent releases until they age out an organization-defined delay window.
• CI/CD tokens and cloud credentials follow least-privilege and short-lived patterns.
• GitHub Actions workflows are restricted to known, reviewed actions from trusted sources.
• Secret scanning is enabled for this repository.
• npm lifecycle scripts are avoided where possible and are never used to download and execute remote code.
• Cloud IAM policies are configured so that developer or CI credentials cannot directly access production infrastructure.

For more information about detection logic or mitigations, contact the security team via GitHub Security Advisories.

Last Updated: February 26, 2026 Next Review: March 26, 2026