Security fixes are published for the latest minor release in each supported major line.
| Version | Supported |
|---|---|
| 2.1.x | ✅ |
| 2.0.x | ✅ |
| 1.x | ❌ |
| < 1.0 | ❌ |
We recommend running the latest 2.1.x release. Older supported lines receive critical fixes only when backporting is practical.
If you believe you have found a security vulnerability in QAST, please report it responsibly.
Preferred: GitHub Private Vulnerability Reporting
Alternative: Open a GitHub issue with the Security label and avoid posting exploit details publicly until a fix is available.
Please include:
- A clear description of the issue and its potential impact
- Steps to reproduce, or a minimal proof of concept
- Affected version(s)
- Any suggested mitigation or fix, if you have one
| Stage | Timeline |
|---|---|
| Initial acknowledgement | Within 3 business days |
| Triage and severity assessment | Within 7 business days |
| Fix or mitigation plan | Depends on severity; critical issues are prioritized |
| Coordinated disclosure | After a patched release is available |
We may ask follow-up questions during investigation. If the report is declined (for example, it is out of scope or not reproducible), we will explain why.
Please do not open public issues with full exploit details before a fix is released.
Reports are in scope when they demonstrate a security impact in QAST itself, such as:
- Parser bypass that allows disallowed fields or operators despite validation
- Denial of service through unbounded resource use in the library's parsing or validation path
- Injection or unsafe output when using built-in adapters with validated input
- Memory or CPU exhaustion within documented complexity limits
The following are generally out of scope:
- Vulnerabilities in downstream ORMs, databases, or application frameworks
- Misconfiguration by consumers (for example, omitting
allowedFieldsorvalidate: truein production) - Issues that require an attacker to control server-side code or deployment configuration outside QAST
QAST is designed to be safe by default, but correct integration is required:
allowedFieldsandallowedOperators— restrict which fields and operators can appear in a queryfieldConstraints— validate value types, ranges, enums, and patterns per fieldvalidate: "true"(default) — enforce whitelists and complexity limits during parsing- Complexity limits —
maxDepth,maxNodes,maxQueryLength,maxArrayLength,maxStringLength - Field sanitization —
sanitizeFieldName()helps prevent unsafe field names from reaching ORM layers
Example (recommended for production APIs):
const ast = parseQuery(rawFilter, {
allowedFields: ['age', 'name', 'active'],
allowedOperators: ['eq', 'ne', 'gt', 'lt', 'gte', 'lte', 'in'],
fieldConstraints: {
age: { type: 'number', min: 0, max: 130 },
active: { type: 'boolean' },
},
maxDepth: 5,
maxNodes: 50,
maxQueryLength: 2048,
validate: true,
});Security advisories for QAST are published via GitHub Security Advisories and noted in CHANGELOG.md.
QAST has zero runtime dependencies. Dev dependencies are used only for development and CI. Security updates to dev tooling are handled through Dependabot and routine maintenance releases.