This security policy applies to all packages in the @libar-dev/zod-convex ecosystem:
- @libar-dev/zod-convex-core
- @libar-dev/zod-convex-ids
- @libar-dev/zod-convex-tables
- @libar-dev/zod-convex-codecs
- @libar-dev/zod-convex-gen
- @libar-dev/zod-convex-builders
- @libar-dev/eslint-plugin-zod-convex
We actively support the following versions with security updates:
| Version | Supported | Status |
|---|---|---|
| 0.1.x | ✅ | Active development |
Recommendation: Always use .strict() on Zod schemas to prevent data pollution:
// Secure: Rejects unexpected fields
export const UsersTableSchema = z.object({
email: z.string().email(),
name: z.string()
}).strict();
// Insecure: Allows arbitrary fields
export const UsersTableSchema = z.object({
email: z.string().email(),
name: z.string()
}); // Missing .strict()Why: Without .strict(), external sources (AI providers, user input) can inject unexpected fields into your database.
The generator executes code in your schema files during build time:
Safe Usage:
- Run in CI/CD pipelines with trusted code
- Run locally on your own schema files
- Run in controlled build environments
Unsafe Usage:
- Running on schemas from untrusted sources
- Executing with elevated privileges unnecessarily
- Running in production environments
We recommend:
- Reviewing generated validators before first commit
- Using version control to track changes
- Running security scans on your complete codebase
When using authentication wrappers:
- Implement proper authentication logic in your
getUserfunction - Validate all user tokens against your authentication provider
- Use branded types for type-safe user IDs
- Never trust user-provided authentication claims
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
DO NOT create a public GitHub issue for security vulnerabilities.
Instead, please email us at: security@libar.ai
Include in your report:
- Description: Clear description of the vulnerability
- Impact: Potential impact and attack scenarios
- Reproduction: Steps to reproduce the issue
- Environment: Node.js version, package version, OS
- Package: Which @libar-dev/zod-convex-* package is affected
- Proposed Fix: If you have suggestions (optional)
After submitting a vulnerability report:
- Acknowledgment: We will acknowledge receipt within 48 hours
- Assessment: We will assess the vulnerability within 5 business days
- Updates: We will keep you informed of our progress
- Fix Timeline: Critical vulnerabilities will be patched within 7 days
- Disclosure: We will coordinate public disclosure with you
- Credit: We will credit you in the security advisory (if desired)
| Severity | CVSS Score | Response Time | Examples |
|---|---|---|---|
| Critical | 9.0-10.0 | 24-48 hours | Remote code execution, privilege escalation |
| High | 7.0-8.9 | 3-5 days | Authentication bypass, significant data exposure |
| Medium | 4.0-6.9 | 7-14 days | Limited data exposure, minor privilege escalation |
| Low | 0.1-3.9 | 30 days | Informational issues, best practice violations |
Security updates are released as patch versions and announced via:
- GitHub Security Advisories
- NPM advisory database
- Release notes in CHANGELOG.md
- GitHub Releases page
To receive security notifications:
- Watch the GitHub repository
- Enable Security Alerts in your repository settings
- Monitor the GitHub Releases page
All packages in this ecosystem are monitored for vulnerabilities using:
- npm audit
- Dependabot alerts
- Manual security reviews
zod: Schema validation libraryconvex: Backend platform (peer dependency)
We actively monitor these dependencies and update promptly when security issues are discovered.
For security-related questions:
- Email: security@libar.ai
- GitHub Issues: For non-security bugs only
Last Updated: 2025-01