We actively monitor and patch vulnerabilities in @studioframes/condense. Please ensure you are running the latest stable release to receive security updates.
| Version | Supported | Notes |
|---|---|---|
| 0.3.3 | ✅ | |
| 0.3.2 | ✅ | * |
| 0.3.1 | ❌ | Unsupported due to the version containing security vulnerabilities that have been patched in v0.3.2 |
| 0.3.0 | ❌ | Unsupported due to the version containing security vulnerabilities that have been patched in v0.3.2 |
| 0.2.x | ✅ | * |
| 0.1.x | ❌ | Deprecated |
*Versions exluding the main versions which are still supported don't have any direct vulnerabilities at present but no new ones will be fixed so check for vulnerbilites through socket before using them.
To ensure the safety of the JavaScript ecosystem, @studioframes/condense implements the following security posture:
- Immutable Releases: All release tags (
v*) are protected by repository rulesets preventing force-pushes, deletion, or history overwrites. - Build Provenance: Package publication to the npm registry is handled strictly via OpenID Connect (OIDC) through GitHub Actions, generating a verifiable cryptographic chain of custody.
- Process Sandboxing: Media operations via
ffmpegare executed inside isolated background processes wrapped with short execution timeouts to mitigate Denial of Service (DoS) attacks via corrupted files.
We take proactive measures to harden our software supply chain against upstream malicious injection, typosquatting, and compromised dependencies:
- Automated Vulnerability Scanning: Every pull request and daily branch snapshot is audited using GitHub Dependabot, Socket and
npm auditto flag and remediate known CVEs instantly. - Strict Lockfile Enforcement: We enforce cryptographically signed lockfiles (
package-lock.json) in CI/CD pipelines to guarantee that production builds identically match tested code, eliminating dynamic runtime dependency drift. - Minimal Dependency Footprint: We heavily vet and restrict third-party modules, preferring native Node.js APIs wherever possible to reduce the surface area available for upstream security exploitation.
Please do not open public GitHub issues for security vulnerabilities. If you discover a security flaw, backdoor, or dependency risk within this package, please report it responsibly:
- Submit a Draft Security Advisory: Go to the Security tab of this repository on GitHub, select Advisories, and click New draft advisory.
- Provide Details: Include a detailed description of the vulnerability, steps or a proof-of-concept (PoC) script to reproduce the issue, and the potential impact.
- Timeline: We will acknowledge your report within 48 hours and work on a security patch. Once resolved, a new patch version will be published to npm, and a public advisory will be released to credit your disclosure.
Thank you for helping keep our open-source tools safe!