If you discover a security vulnerability in rolecraft, please report it privately.
Do not disclose the issue publicly until it has been addressed.
To report a vulnerability, open a GitHub Security Advisory at:
https://github.com/sametcelikbicak/rolecraft/security/advisories/new
Or email the maintainer directly (see the committer history for contact).
You should receive a response within 48 hours. If you don't, please follow up.
This security policy covers:
- The
rolecraftCLI tool and its source code - The automated release pipeline (GitHub Actions workflows)
- npm package integrity
Only the latest published version on npm receives security updates.
rolecraft has zero runtime dependencies. Security recommendations:
- Always install from the official npm registry
- Verify the package provenance (available since v1.0.0) via
npm audit --provenance - Pin the version in production environments