| Version | Supported |
|---|---|
| 1.x.x | β |
| < 1.0 | β |
We take the security of notebook-mdx seriously. If you discover a security vulnerability, please follow these steps:
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them privately to:
- Email: [email protected]
- GitHub Security: Use GitHub's private vulnerability reporting
Please include the following information in your report:
- Type of vulnerability
- Full paths of source file(s) related to the vulnerability
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Initial Response: Within 48 hours of receiving your report
- Status Update: Within 7 days with a more detailed response
- Fix Timeline: Security issues will be prioritized and typically resolved within 30 days
While we don't currently offer a formal bug bounty program, we greatly appreciate security researchers who responsibly disclose vulnerabilities. Contributors who report valid security issues will be:
- Credited in our security acknowledgments (with permission)
- Given priority in feature requests and support
- Considered for future collaboration opportunities
- Always keep notebook-mdx updated to the latest version
- Be cautious when rendering untrusted notebook content
- Sanitize user-provided notebook data before rendering
- Use Content Security Policy (CSP) headers when possible
- Run security audits:
pnpm audit - Use TypeScript for type safety
- Validate all inputs and outputs
- Follow secure coding practices
- Keep dependencies updated
- No code execution: notebook-mdx only renders, never executes notebook code
- Content sanitization: All user content is properly escaped
- Type safety: TypeScript prevents many common vulnerabilities
- Dependency auditing: Regular security scans of dependencies
- notebook-mdx processes and renders Jupyter notebook JSON
- While we sanitize content, always validate notebooks from untrusted sources
- Consider implementing additional CSP policies for production use
For security-related questions or concerns, please contact:
- Security Team: [email protected]
- Maintainer: @abhay-ramesh
Thank you for helping keep notebook-mdx secure! π