This section informs users about which versions of the XO project are currently receiving security updates.
Version | Supported |
---|---|
0.2.0 | ✅ |
0.1.x | ❌ |
<0.1.0 | ❌ |
If you discover a security vulnerability in the XO project, please report it by following these steps:
- Email the vulnerability details to [security@xo.report]
- Provide a thorough description of the issue, including steps to reproduce it, and any other pertinent information.
- Expect an acknowledgment of your report within 48 hours of submission.
- Fork the XO-repo and create a new branch, please create a pull request after your update of SECURITY.md please review the documentation on how to 11.Create-a-SECURITY.md-File.md
When a vulnerability is reported:
- We will confirm receipt of your report.
- Our team will assess the vulnerability and aim to communicate a timeframe for a resolution within 72 hours.
- All reports are treated with confidentiality, and we are committed to resolving security issues promptly and thoroughly.
- Vulnerability: Parsing error in PostCSS versions before 8.4.31.
- Affected Component:
postcss
(npm) inyarn.lock
. - Affected Versions: < 8.4.31.
- Patched Version: 8.4.31.
- Description: An issue in PostCSS before 8.4.31 affects linters using PostCSS to parse external, untrusted CSS. There may be
\r
discrepancies, as demonstrated in specific cases like@font-face{ font:(\r/*);}
in a rule. This vulnerability can lead to parts of the CSS being parsed incorrectly as comments, which are then included in the PostCSS output. - Mitigation: Upgrade
postcss
to version 8.4.31 or later. Review and update any affected CSS parsing implementations.
- Vulnerability: ReDoS vulnerability in
semver
package versions. - Affected Component:
semver
(npm) inyarn.lock
. - Affected Versions: >= 7.0.0, < 7.5.2 on the 7.x branch; < 6.3.1 on the 6.x branch; all versions before 5.7.2.
- Patched Version: 7.5.2.
- Description: Versions of the
semver
package before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to ReDoS via the functionnew Range
, especially when untrusted user data is provided as a range. - Mitigation: Upgrade
semver
to version 7.5.2 or later. Validate and sanitize all user-provided data used as ranges insemver
.
- Edit the File: Open the
SECURITY.md
in your project's root directory. - Update Known Vulnerabilities: Add the detailed descriptions of the new vulnerabilities as shown above.
- Review the Changes: Ensure that all information is accurate and clearly stated.
- Commit and Push: Commit the changes with a message like "Update SECURITY.md with recent vulnerabilities" and push to your repository.
- Create a Pull Request: If you're not a direct maintainer, create a pull request for the maintainers to review and merge the changes.
- Notify Team Members: Inform your team or contributors about the update, especially if action is required on their part.
By regularly updating our SECURITY.md
file, we ensure that our project's users and contributors are informed about current security risks and the steps taken to mitigate them. This practice is vital for maintaining the integrity and trustworthiness of our project.